North Korean hackers continue attacks through banks' access to Swift

Register now

In monitoring the patterns of a North Korean cyberattack organization that has stolen more than $1.1 billion from global financial institutions since 2014, security firm FireEye says these hackers are still at work in targeting a bank's access to the Swift messaging network.

A group that California-based FireEye has dubbed as APT38 is behind the cyberattacks, starting with a heist of the Bangladesh Bank four years ago and continuing by targeting more than 16 financial organizations in 11 countries since then.

The hackers are compromising the victim's systems, not the Swift network itself, FireEye stated in its report.

As part of its planning process, APT38 hides in a victim's network for an average of 155 days "until it gets what it wants," FireEye said.

In citing how the process works, FireEye noted that APT38 researches a firm's staffers with likely access to the Swift messaging systems before compromising them. It then installs reconnaissance malware and internal network monitoring tools.

Fraudulent Swift transactions are set up, with multiple transfers made to accounts in separate countries to make money laundering easier. Finally, evidence is destroyed, the report said.

"Despite recent efforts to curtail their activity, APT38 remains active and dangerous to financial institutions worldwide," the report stated. "Furthermore, given the sheer scale of the thefts they attempt, and their penchant for destroying targeted networks, APT38 should be considered a serious risk to the sector."

For reprint and licensing requests for this article, click here.
Cyber security Cross border payments North Korea