Security is Everyone's Job

APT 38

APT 38 is another cyber espionage group that is also believed to be sponsored by the North Korean government.

The group has been active since at least 2014, and has targeted various financial institutions and cryptocurrency exchanges around the world, mainly in Asia, Africa, Europe, and North America.

The group’s main objectives are to steal money and cryptocurrency to fund North Korea’s nuclear and missile programs


Operation Blockbuster: A joint investigation by multiple cybersecurity companies in 2016 that exposed the group’s involvement in the Sony Pictures Entertainment breach in 2014, the Bangladesh Bank heist in 2016, and other attacks on financial and media organizations

Operation Sharpshooter: A global campaign in 2018 that used malicious documents and a fake job recruitment website to infect victims with a backdoor that collected system information and downloaded additional malware. The campaign targeted defense, government, energy, and financial sectors in more than 100 countries

Operation AppleJeus: A campaign in 2018 that used a Trojanized cryptocurrency trading application to compromise cryptocurrency exchanges and users. The campaign targeted exchanges in South Korea, Japan, China, and the UK

Operation FASTCash: A campaign in 2018 that used compromised banking servers and ATM switch application servers to withdraw cash from ATMs in multiple countries, including India, Pakistan, Chile, and the US. The campaign reportedly stole tens of millions of dollars

Attack methods

Social engineering: The group uses phishing emails and malicious documents to lure victims into enabling macros or clicking on embedded links. The group also uses fake websites and applications to trick victims into downloading and installing malware

Exploitation: The group exploits vulnerabilities in popular software, such as Adobe Flash Player, Microsoft Silverlight, and Microsoft Office, to deliver malware to victims. The group also uses watering hole attacks, which involve compromising legitimate websites and redirecting visitors to malicious sites

Malware: The group uses a variety of custom and off-the-shelf malware for initial infection and exfiltration. Some of their malware families include FALLCHILL, KEYMARBLE, RATANKBA, BANKSHOT, and HOPLIGHT. The group also has access to destructive malware, such as KILLMBR and KILLDISK, which can erase the hard drive of a machine and render it unusable

Command and control: The group uses compromised servers, cloud service providers, and peer-to-peer networks to communicate with their malware and avoid detection. The group also uses encryption, proxies, and domain generation algorithms to obfuscate their traffic