Introduction
APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau. CISA AA20-239A BeagleBoyz August 2020 Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext FireEye APT38 Oct 2018 and Banco de Chile FireEye APT38 Oct 2018; some of their attacks have been destructive. CISA AA20-239A BeagleBoyz August 2020 FireEye APT38 Oct 2018 DOJ North Korea Indictment Feb 2021 Kaspersky Lazarus Under The Hood Blog 2017 North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
Information pending cataloguing.
Attribution and Evidence
Information pending cataloguing.
References
[1] MITRE ATT&CK MITRE ATT&CK entry [2] CISA AA20-239A BeagleBoyz August 2020 [3] FireEye APT38 Oct 2018 [4] DOJ North Korea Indictment Feb 2021 [5] Kaspersky Lazarus Under The Hood Blog 2017