APT38 shares malware code and other development resources with TEMP.Hermit North Korean cyber espionage activity, although we consider APT38’s operations more global and highly specialized for targeting the financial sector. The group has compromised more than 16 organizations in at least 11 different countries, sometimes simultaneously, since at least 2014.
Since the first observed activity, the group’s operations have become increasingly complex and destructive. APT38 has adopted a calculated approach, allowing them to sharpen their tactics, techniques, and procedures (TTPs) over time while evading detection.
- APT38 is a financially motivated group linked to North Korean cyber espionage operators, renown for attempting to steal hundreds of millions of dollars from financial institutions and their brazen use of destructive malware.
- APT38 executes sophisticated bank heists typically featuring long planning, extended periods of access to compromised victim environments preceding any attempts to steal money, fluency across mixed operating system environments, the use of custom developed tools, and a constant effort to thwart investigations capped with a willingness to completely destroy compromised machines afterwards.
- A 2016 Novetta report detailed the work of security vendors attempting to unveil tools and infrastructure related to the 2014 destructive attack against Sony Pictures Entertainment. This report detailed malware and tactics, techniques, and procedures (TTPs) that the researchers believed were linked to a set of developers and operators they dubbed “Lazarus,” a name that has become largely synonymous with aggressive North Korean cyber operations. We tracked many of these indicators and campaigns as TEMP.Hermit.
- Attribution to both the “Lazarus” group and TEMP.Hermit was made with varying levels of confidence primarily based on similarities in malware being leveraged in identified operations. Over time these malware similarities diverged, as did targeting, intended outcomes, and TTPs, almost certainly indicating that TEMP.Hermit activity is made up of multiple operational groups primarily linked together with shared malware development resources and North Korean state sponsorship.
- Because APT38 is backed by (and acts on behalf of) the North Korean regime, we opted to categorize the group as an “APT” instead of a “FIN.” This also reflects that APT38’s operations closely resemble espionage-related activity
Download the full research by FireEye on APT38