A new report from cybersecurity experts at FireEye claims a North Korea-led cyber campaign has swindled banks of hundreds of millions of dollars since 2014, and continues to operate as an “active and dangerous” entity.
Analysts estimate the group has attempted to steal more than $1.1 billion.
According to Wednesday (Oct. 3) reports in the Associated Press, FireEye’s report outlines the North Korean hacking group called APT38, finding it responsible for bank hacks across 11 countries. The group is still operating, and according to FireEye, is a “large, prolific operation with extensive resources” that remains “an active global threat.”
APT38 reportedly deploys malware to submit fraudulent transactions into the SWIFT network to initiate a funds transfer. Money is then transferred to bank accounts and laundered, with APT38 deleting any evidence.
“APT38 is unique in that it is not afraid to aggressively destroy evidence or victim networks as part of its operations,” FireEye’s report, “APT38: Details on New North Korean Regime-Backed Threat Group,” stated, according to separate reports in Fortune, also published Wednesday.
While the scope and severity of the alleged cybercrime ring may raise eyebrows, it is not a surprise to cybersecurity experts that the group stems from North Korea.
“The reality is they are starved for cash and are continuing to try and generate revenue, at least until sanctions are diminished,” said CrowdStrike Vice President of Intelligence Adam Meyers in an interview with the AP, referencing sanctions issued upon North Korea by the U.S. and other jurisdictions in response to North Korea’s nuclear weapons development programs.
Separate analysis from CrowdStrike has been tracing ongoing cyberattack campaigns based in North Korea in recent months. The nation is accused of being behind 2017 cyberattacks on cryptocurrency exchanges, according to South Korea’s National Intelligence Service. North Korean hackers were also blamed for leaking personal account information on users of the cryptocurrency exchange Bithumb.
In a separate report, the Foundation for Defense of Democracies, a Washington, D.C. think tank, similarly highlighted the cybersecurity threat posed by North Korea.
“The heavily sanctioned and cash-strapped North also uses cyberattacks to generate illicit funds from ransom payments, cryptocurrency exchange hacks and fraudulent inter-bank transfer orders,” the report stated, according to CNN reports.
North Korea has denied involvement in past cyberattacks, the AP reported.
SWIFT Back in the Spotlight
FireEye’s report refocuses the cybersecurity spotlight back on banks and the seemingly never-ending race to stay one step ahead of cyberattackers. Only days ago, a report from The Wall Street Journal found an increase in attempted cyberattacks on large U.S. banks in recent weeks.
The report also highlights cybercriminals’ use of the SWIFT messaging system to commit fraud.
As the Associated Press reported, FireEye’s analysis suggests APT38 was behind the $81 million heist targeting Bangladesh’s central bank in 2016. The U.S. Department of Justice (DOJ) released a criminal complaint last month outlining how the attack occurred: Attackers sent phishing emails to bank employees to gain access to bank systems. Doing so allowed them to send SWIFT messages to initiate payments.
The scheme marked the “largest successful cybertheft from a financial institution to date,” according to the DOJ’s complaint.
In a separate incident earlier this year, India’s Punjab National Bank became the target of a $2 billion bank fraud scheme. The perpetrators again used the bank’s SWIFT messaging system to commit the crime, according to India’s Central Bureau of Investigation.
Though SWIFT has emerged as a common denominator across many recent bank heists and cyberattacks, experts and officials say it’s banks’ responsibility to safeguard their systems. Following the PNB bank heist, for instance, India’s central bank required bank executives to implement straight-through processing between central banking systems and their SWIFT messaging, with additional recommendations for breach of control limit alerts, SWIFT transaction auditing and payment reconciliation conducted every two hours.
Last year, SWIFT released customer security standards to aid its network members in boosting transparency and cybersecurity.
“One of the key principles of the self-attestation process is to create momentum to drive improvements in security and risk management,” said Stephen Gilderdale, head of SWIFT’s Customer Security Program, in a statement at the time.