LLMpediaThe first transparent, open encyclopedia generated by LLMs

APT38

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: WannaCry Hop 4
Expansion Funnel Raw 51 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted51
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
APT38
NameAPT38
TypeState-sponsored cybercrime
OriginDemocratic People's Republic of Korea (attribution by multiple sources)
Active2014–present
TargetsFinancial institutions, cryptocurrency exchanges, SWIFT-related infrastructure
MotiveFinancial gain to support state priorities

APT38 APT38 is a highly capable cyber threat group attributed by multiple intelligence and cybersecurity organizations to actors linked to the Democratic People's Republic of Korea. The group is characterized by long-term, financially motivated intrusions against banking, financial services, and cryptocurrency entities across Asia, Europe, and the Americas. Investigations by private firms, national intelligence agencies, and international bodies have connected the group's tooling and operational patterns to broader diplomatic, military, and economic aims of Pyongyang.

Overview

Security researchers and agencies including United States Department of the Treasury, United States Department of Justice, Federal Bureau of Investigation, National Security Agency, Mandiant, Symantec, and Kaspersky Lab have published advisories attributing a string of complex heists and intrusions to the group. Analysts note overlaps with operations linked to the Reconnaissance General Bureau, Bureau 121, and sanctioned entities such as Korean People's Army-associated units. The group has used customized malware, lateral movement frameworks, credential harvesting, and heist-style operational tradecraft reminiscent of earlier incidents like the 2016 Bangladesh Bank robbery and campaigns targeting SWIFT-connected infrastructures.

Origins and Attribution

Attribution to DPRK-linked units draws on forensic artifacts, shared infrastructure, and tradecraft similarities to campaigns attributed to actors tied to Pyongyang. Disclosures from the United States Treasury and indictments from the United States Department of Justice have named individuals and entities and linked operations to state-directed financial collection. Open-source intelligence work by firms such as FireEye, Kaspersky, ESET, and CrowdStrike mapped malware families, command-and-control servers, and operational timing to other known North Korean campaigns like Operation Troy, Andariel, and activity attributed to Lazarus Group.

Tactics, Techniques, and Procedures

The group's documented tactics include spear-phishing, credential harvesting, exploitation of unpatched vulnerabilities, custom backdoors, and deployment of remote access tools to execute fraudulent transactions. Malware families and toolsets associated in reports include variants similar to those used in Sony Pictures Entertainment hack era operations and banking fraud campaigns. Operators have targeted SWIFT systems, ATM networks, and interbank settlement platforms, using false transaction orders, rapid cash-outs, and manipulation of banking logs. Infrastructure often leveraged compromised hosts in regional providers, proxy chains through compromised routers, and cryptocurrency mixers to launder proceeds, echoing techniques used in campaigns targeting Mt. Gox, Bitfinex, and other crypto exchanges.

Notable Operations and Targets

Investigations link the group to high-profile heists and intrusion campaigns against financial institutions in Bangladesh, Vietnam, Philippines, Sri Lanka, Poland, Mexico, and Peru. Notable incidents cited in public reports include thefts that coincide temporally and technically with the 2016 Bangladesh Bank heist and assaults on regional banks involving fraudulent SWIFT requests, ATM cash-out operations, and cryptocurrency thefts from exchanges and custodial services. Several targeted organizations named in filings and advisories encompass major commercial banks, financial clearinghouses, and cryptocurrency trading platforms across Asia, Europe, and the Americas.

Impact and Consequences

The fiscal impact attributed to the group spans hundreds of millions of US dollars in stolen funds, lost revenues, remediation costs, and downstream legal and regulatory consequences for victim institutions. The operations intensified scrutiny of SWIFT security practices, interbank settlement controls, and cryptocurrency compliance regimes such as Know Your Customer and Anti-Money Laundering standards. Geopolitical consequences include increased sanctions targeting North Korean revenue streams, diplomatic friction between affected states, and elevated coordination among national cybersecurity centers like United States Cyber Command, National Cyber Security Centre (UK), and regional CERTs.

International Response and Sanctions

Multiple governments and international bodies responded with indictments, sanctions, asset freezes, and coordinated advisories. The United States Department of the Treasury imposed sanctions on individuals and front companies, and the United Nations Security Council and Financial Action Task Force discussions raised issues about illicit finance linked to DPRK activity. Law enforcement actions by the FBI, Europol, and national prosecutors in affected countries have pursued criminal cases, seizures, and mutual legal assistance requests. Private sector exchanges and banking consortia increased threat-sharing and adopted detection frameworks advocated by entities like FS-ISAC.

Mitigation and Defense Measures

Recommendations from cybersecurity firms and national agencies emphasize network segmentation, multifactor authentication, patch management, logging and monitoring of transaction systems, and SWIFT Customer Security Programme measures. Financial institutions are advised to implement strict change-control, out-of-band transaction verification, endpoint detection and response platforms from vendors like CrowdStrike and Carbon Black, and to engage with sharing platforms such as FS-ISAC and national Computer Emergency Response Teams. Enhanced cooperation among central banks, regulators like the Office of the Comptroller of the Currency and European Central Bank, and cyber threat intelligence programs aims to reduce attack surface and improve incident response.

Category:Cybercrime Category:North Korea–related incidents Category:State-sponsored cyber activity