![]() ![]() “In addition to cyber operations, public reporting has detailed recruitment and cooperation of individuals in-country to support with the tail end of APT38’s thefts, including persons responsible for laundering funds and interacting with recipient banks of stolen funds. Malware will then be deployed to insert fraudulent SWIFT transfers and alter transaction histories, before logs are deleted and disk-wiping malware is deployed. Malware is then deployed to gather credentials and map network topology, before pivoting to the target’s SWIFT servers. ![]() The group spends on average 155 days inside a victim’s network, although it has been known to persist for nearly two years.Īttacks typically start with information gathering from targeted personnel and third party vendors, to understand how SWIFT transactions work, before initial compromise via watering hole attacks exploiting out-of-date Apache Struts2 installations. Its attacks are notable for their lengthy, careful planning, custom-developed tools and willingness to destroy machines if it helps to thwart investigations, FireEye said. ![]() The vendor’s latest report details the activities of APT38: a “large, prolific operation with extensive resources” that has already attempted to steal over $1bn from 16 organizations in at least 11 countries, many simultaneously.Īlthough the group may share personnel, code repositories and other resources with Lazarus and the TEMP.Hermit group, APT38’s TTPs are distinct and its aim is primarily to steal money for the hermit nation rather than carry out politically motivated espionage or destructive attacks, the report claimed. Some financially motivated cyber-attacks previously attributed to the infamous Lazarus Group are actually the work of another North Korean state-sponsored threat group, according to FireEye. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |