It turned out that North Korean hacker group illegally withdrew cash of tens of billions of yen from banks all over the world

by (stephan)

Security company FireEye announced on October 3, 2018 that the hacking group called " APT 38 " illegally accessed banks around the world and steal billions of yen. In addition, US-CERT , a security organization in the United States, announced a warning that a hacking group called " Hidden Cobra " hacked ATMs, mainly in Asia and African banks, to withdraw billions of yen cash It is. Both groups, "APT 38" and "Hidden Cobra" who had stealed large amounts of cash from around the world, are said to have North Korea back.

APT 38: Details on New North Korean Regime - Backed Threat Group «APT 38: Details on New North Korean Regime - Backed Threat Group | FireEye Inc
https://www.fireeye.com/blog/threat-research/2018/10/apt38-details-on-new-north-korean-regime-backed-threat-group.html

HIDDEN COBRA - FASTCash Campaign | US - CERT
https://www.us-cert.gov/ncas/alerts/TA18-275A

Bank Servers Hacked to Trick ATMs into Spitting Out Millions in Cash
https://thehackernews.com/2018/10/bank-atm-hacking.html

"APT 38", which seems to be composed of 16 organizations in 11 countries, is a hacking group that has been in operation since 2014. FireTye reported that APT38 charged malware to the interbank settlement infrastructure provided by the International Banking Communication Association (SWIFT), and made illegal remittances from banks illegally.

For example, in 2016, an incorrectly large amount of remittance was made from the Bangladesh Central Bank system to the Federal Central Bank of New York, and an incident occurred in which about 9 billion yen was stolen. FireEye concluded that the Bangladesh central bank's unfair remittance incident was an APT 38 crime. "The APT 38 is trying to steal at least $ 1.1 billion (about 125 billion yen) so far, it is thought that we are stealing billions of yen even if we are grasping," FireEye commented I will.

In addition, FireEye says that this APT 38 is being backed up by North Korea and is a nation-wide hacking group. In the hacking group supported by North Korea, groups known as "Hidden Cobra" or "Lazarus Group" are also known, and these groups have attacks against aerospace, finance and important infrastructure divisions all over the world It was said that they were doing. It is pointed out that this Hidden Cobra is a case where Ransomware " Wanna Cry " which prevailed all around the world in 2017 and cases where Sony Pictures was cracked in 2014 and the whole system was downed down.

North Korea hacker created as a Ransomware "WannaCry" and was involved in hacking Sony Pictures America prosecuted - GIGAZINE

FireEye says "There is a possibility that the motive and method of APT 38 is obviously different from Hidden Cobra and it can not be said to be completely the same group", but there are similarities in toolset, tactics, connection method, etc. , It is highly likely that the same development member is involved or that the same repository is used.

Meanwhile, US-CERT warned on October 2, 2018, hacking by Hidden Cobra as a "global threat" with a collaboration with the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). According to US - CERT, Hidden Cobra has illegally withdrawn billions of yen from ATMs of banks all over the world over the past two years.

In order to gain unauthorized access to bank ATMs, Hidden Cobra first hides Windows-based malware to "Payment Switch Application Server" in banks for banks in Africa and Asia, where weak security measures are taken. It is unknown how hackers hacked malware to servers inside the bank, but it is speculated that they used a phishing e-mail targeted attack on bank employees.

Payment switch application server receives correct PAN (account number) and payment request message from ATM or retail store's POS , confirms approval / denial according to usage limit based on the number, payment to ATM or POS It is responsible for sending commands. It is believed that Hidden Cobra used cash counter account numbers to withdraw cash by illegally operating this payment switch application server.

It is believed that there are economic sanctions over nuclear missile tests as the background that North Korea draws a lot of cash from banks around the world using multiple hacking groups. FireEye points out that illegal remittances are still taking place even though North Korea has brought a harmonious line to the United States, and we anticipate that hacking attacks by APT 38 will continue in the future.