APT38
G00822 reportsAnalyst assessment — key judgments
- Signature techniques: T1053.005 (Scheduled Task), T1113 (Screen Capture), T1033 (System Owner/User Discovery).
- Primary targeting: KR, US, CN, IN.
- Steady activity: 1 report(s) in last 30d vs 1 prior (+0%).
- Recent movement: 5 new technique(s), 7 new infrastructure indicator(s) in the last 30 days.
- Hunt coverage 28% of 43 observed techniques (31 gap(s)).
- Assessment confidence: medium (60).
Activity & trend
Movement — last 30 days
Overview
APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext (Citation: FireEye APT38 Oct 2018) and Banco de Chile (Citation: FireEye APT38 Oct 2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017)
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
ATT&CK technique matrix
- T1053.005 · Scheduled Taskconf 601
- T1113 · Screen Captureconf 601
- T1033 · System Owner/User Discoveryconf 601
- T1548.002 · Bypass User Account Controlconf 601
- T1547 · Boot or Logon Autostart Executionconf 601
- T1115 · Clipboard Dataconf 601
- T1082 · System Information Discoveryconf 601
- T1071 · Application Layer Protocolconf 601
- T1053 · Scheduled Task/Jobconf 601
- T1106 · Native APIconf 601
- T1140 · Deobfuscate/Decode Files or Informationconf 601
- T1055 · Process Injectionconf 601
Threat catalogue · engineering roadmap
Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.
Infrastructure
Relationships
Activity
| Title | Source | Severity | Collected |
|---|