APT38

Threat Actor updated 2 months ago (2024-09-10T04:18:37.124Z)

Download STIX

Preview STIX

APT38, a threat actor suspected to be backed by the North Korean regime, has been responsible for some of the largest cyber heists observed to date. The group has conducted operations in over 16 organizations across at least 11 countries, primarily targeting financial institutions worldwide. Despite sharing malware development resources and state sponsorship with another North Korean group known as "Lazarus," APT38 distinguishes itself through its unique toolset, tactics, techniques, and procedures (TTPs), and its financial motivation. Notably, APT38 has used ransomware such as Ryuk and Hermes in its operations. In June 2022, APT38, in conjunction with the Lazarus Group, stole $100 million worth of cryptocurrency assets from the Blockchain company Harmony Horizon Bridge. This theft was confirmed by the U.S. Federal Bureau of Investigation (FBI) in January 2023. The group overlaps with other groups tracked by the cybersecurity industry, including Lazarus, Bluenoroff, Stardust Chollima, and BeagleBoyz, the latter being responsible for the FASTCash ATM cash outs reported in October 2018 and fraudulent abuse of compromised bank-operated SWIFT system endpoints since at least 2015. APT38, also known as Alluring Pisces, BlueNoroff, Sapphire Sleet, and TA444 among others, has targeted not just financial institutions but also cryptocurrency businesses and ATMs. Other groups like CryptoCore and TraderTraitor, active since at least 2018, focus on cryptocurrency theft and may be successors to APT38. Although no recent attacks have been attributed to APT38, historically, it has focused on financial theft, including stealing millions of dollars by targeting Interbank Fund Transfer Systems.

Description last updated: 2024-09-10T03:19:05.239Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Lazarus Group is a possible alias for APT38. The Lazarus Group, a notorious North Korean state-sponsored threat actor, is among the most prolific and dangerous cyber threat actors in operation. The group has been involved in several high-profile cyber-attacks, including Operation DreamJob in Spain, with the primary objective of funding North K	4
Stardust Chollima is a possible alias for APT38. Stardust Chollima is a recognized threat actor in the cybersecurity industry, primarily known for its malicious activities aimed at acquiring funds. This group has been linked to various high-profile cyber-attacks and fraudulent activities since 2015. Stardust Chollima has been associated with the f	3
Tradertraitor is a possible alias for APT38. TraderTraitor, a threat actor attributed to the North Korean government's APT38 hacking group also known as Lazarus, has been implicated in a series of cyberattacks targeting cryptocurrency platforms. The FBI has recently linked TraderTraitor to the theft of hundreds of millions of dollars in crypto	3
Sapphire Sleet is a possible alias for APT38. Sapphire Sleet is a North Korea-linked Advanced Persistent Threat (APT) group known for its malicious activities. As a threat actor, Sapphire Sleet has been identified as the entity behind the execution of actions with harmful intent. The group's operations are sophisticated and persistent, targetin	3
Andariel is a possible alias for APT38. Andariel, a threat actor controlled by North Korea's military intelligence agency, the Reconnaissance General Bureau, has been actively conducting cyber espionage and ransomware operations. The group funds its activities through ransomware attacks primarily targeting U.S. healthcare entities. In som	2
BeagleBoyz is a possible alias for APT38. The BeagleBoyz, also known as threat activity group 71 (TAG-71), is a significant cybersecurity threat actor with strong ties to the North Korean state-sponsored APT38. This group, recognized under various aliases such as Bluenoroff and Stardust Chollima, has been involved in extensive cyber operati	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Bitcoin

Dprk

Korean

Reconnaissance

Fbi

Malware

State Sponso...

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Bluenoroff Threat Actor is associated with APT38. BlueNoroff, a threat actor group linked to North Korea, has been identified as the malicious entity behind several high-profile cyber-attacks. Since first making headlines with an attack on Sony Pictures in 2014, BlueNoroff and its parent group Lazarus have been involved in numerous notorious securi	is related to	4
The Rgb Threat Actor is associated with APT38. RGB is a notorious threat actor, primarily associated with North Korea's Reconnaissance General Bureau (RGB), a military intelligence agency. This organization falls under the General Staff Bureau of the DPRK Korean People's Army and has been linked to numerous cyber-attacks against international en	Unspecified	2

Source Document References

Information about the APT38 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Unit42	2 months ago	Threat Assessment: North Korean Threat Groups
Securityaffairs	3 months ago	Russian national arrested in Argentina for laundering money of crooks and Lazarus APT
DARKReading	a year ago	North Korea Debuts 'SpectralBlur' Malware Amid macOS Onslaught
Securityaffairs	a year ago	North Korea-linked APT Sapphire Sleet targets IT job seekers
BankInfoSecurity	a year ago	Researchers: North Korean Hackers Gain Speed, Flexibility
CSO Online	2 years ago	APT groups use ransomware TTPs as cover for intelligence gathering and sabotage
CERT-EU	a year ago	North Korean and Chinese Hackers Attacking Healthcare Industries
CERT-EU	a year ago	Hong Kong crypto business Mixin says hackers stole $200 million in assets
CERT-EU	a year ago	North Korean Threat Actors Stole $41 Million in Online Casino Heist \| IT Security News
InfoSecurity-magazine	a year ago	FBI Flags $40M Crypto Cash-Out Plot By North Korean Hackers
CERT-EU	a year ago	North Korea ready to cash out more than $40 million in Bitcoin after summer of attacks, warns FBI
CERT-EU	a year ago	FBI: North Korean hackers transferred $40 million in stolen cryptocurrency funds in one day
CERT-EU	a year ago	FBI Warns of Cryptocurrency Heists by North Korea's Lazarus Group
CERT-EU	a year ago	FBI warns North Korean hackers poised to cash out more than $40 million in bitcoin
CERT-EU	a year ago	FBI Finds 1,580 Bitcoin in Crypto Wallets Linked to North Korean Hackers
Securityaffairs	a year ago	FBI identifies wallets holding cryptocurrency funds stolen by North Korea
CERT-EU	a year ago	FBI: Lazarus hackers readying to cash out $41 million in stolen crypto
CERT-EU	a year ago	FBI Finds 1,580 Bitcoin in Crypto Wallets Linked to North Korean Hackers
CERT-EU	a year ago	North Korea’s Lazarus hackers behind recent crypto heists: FBI
CERT-EU	a year ago	North Korean Affiliates Suspected in $40M Cryptocurrency Heist, FBI Warns