APT38

Threat Actor updated 15 days ago (2024-08-24T11:17:41.439Z)

Download STIX

Preview STIX

APT38, also known as TA444, BlueNoroff, BlackAlicanto, Coperenicum, Sapphire Sleet, and Stardust Chollima, is a North Korea-linked advanced persistent threat (APT) group. It has conducted operations in over 16 organizations across at least 11 countries, primarily targeting financial institutions worldwide. This group has been responsible for some of the largest cyber heists observed to date. Although APT38 shares malware development resources and North Korean state sponsorship with Lazarus Group, they are distinct due to their unique toolset, tactics, techniques, and procedures (TTPs), and their financial motivation. The cybersecurity community has found code similarities between Ryuk and Hermes, a ransomware used by APT38, driving a narrative that links the two. The group overlaps with other groups like BeagleBoyz, Bluenoroff, and Stardust Chollima, and has been involved in various illicit activities such as FASTCash ATM cash outs, fraudulent abuse of compromised bank-operated SWIFT system endpoints, and cryptocurrency thefts. Notably, in June 2022, APT38 was implicated in the theft of $100 million of virtual currency from Harmony’s Horizon Bridge, a fact later confirmed by the FBI in January 2023. It's worth noting that while APT38 has not been attributed with recent attacks, historically, it has focused on financial theft, including stealing millions of dollars by targeting Interbank Fund Transfer Systems. Some threat researchers suggest that groups like CryptoCore (UNC1069) and TraderTraitor (UNC4899), who also target blockchain companies, may be successors to APT38. Overall, APT38 remains a significant cybersecurity threat due to its sophisticated tactics and substantial financial impact.

Description last updated: 2024-08-24T11:15:32.686Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Lazarus Group	4	The Lazarus Group, a notorious threat actor associated with North Korea, has been implicated in several high-profile cyber attacks and exploitation activities. The group's objective often involves establishing a kernel read/write primitive, which allows them to gain high-level access to systems and
Stardust Chollima	3	Stardust Chollima is a recognized threat actor in the cybersecurity industry, primarily known for its malicious activities aimed at acquiring funds. This group has been linked to various high-profile cyber-attacks and fraudulent activities since 2015. Stardust Chollima has been associated with the f
Tradertraitor	3	TraderTraitor, also known as Lazarus Group or APT38, is a threat actor attributed to the North Korean government that has been implicated in several high-profile cyberattacks. The group has particularly targeted cryptocurrency platforms, executing malicious actions with the intent of stealing large
BeagleBoyz	2	The BeagleBoyz, also known as threat activity group 71 (TAG-71), is a significant cybersecurity threat actor with strong ties to the North Korean state-sponsored APT38. This group, recognized under various aliases such as Bluenoroff and Stardust Chollima, has been involved in extensive cyber operati
Sapphire Sleet	2	Sapphire Sleet, a threat actor linked to North Korea, has emerged as a significant cybersecurity concern. This group, characterized by its malicious intent, targets IT job seekers through the use of deceptive tactics. They have created bogus skills assessment portals, designed to lure unsuspecting i
Andariel	2	Andariel, a state-backed threat group linked to North Korea's Reconnaissance General Bureau, has been identified as a significant cyber threat. The group has demonstrated its capabilities by compromising critical national infrastructure organizations, accessing classified technical information and i

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Fbi

Bitcoin

Dprk

Korean

Reconnaissance

Malware

State Sponso...

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Bluenoroff	is related to	3	BlueNoroff, a threat actor closely associated with the notorious Lazarus Group, has been actively involved in malicious cyber activities primarily targeting financial institutions and cryptocurrency businesses. Known for its sophisticated attacks on banks, casinos, fintech companies, POST software,
Rgb	Unspecified	2	RGB is a threat actor group associated with North Korea's Reconnaissance General Bureau (RGB), which has been involved in numerous cyber espionage activities. The RGB 3rd Bureau, based in Pyongyang and Sinuiju, includes state-sponsored cyber groups known as Andariel, Onyx Sleet (formerly PLUTONIUM),

Source Document References

Information about the APT38 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	15 days ago	Russian national arrested in Argentina for laundering money of crooks and Lazarus APT
DARKReading	8 months ago	North Korea Debuts 'SpectralBlur' Malware Amid macOS Onslaught
Securityaffairs	10 months ago	North Korea-linked APT Sapphire Sleet targets IT job seekers
BankInfoSecurity	a year ago	Researchers: North Korean Hackers Gain Speed, Flexibility
CSO Online	2 years ago	APT groups use ransomware TTPs as cover for intelligence gathering and sabotage
CERT-EU	a year ago	North Korean and Chinese Hackers Attacking Healthcare Industries
CERT-EU	a year ago	Hong Kong crypto business Mixin says hackers stole $200 million in assets
CERT-EU	a year ago	North Korean Threat Actors Stole $41 Million in Online Casino Heist \| IT Security News
InfoSecurity-magazine	a year ago	FBI Flags $40M Crypto Cash-Out Plot By North Korean Hackers
CERT-EU	a year ago	North Korea ready to cash out more than $40 million in Bitcoin after summer of attacks, warns FBI
CERT-EU	a year ago	FBI: North Korean hackers transferred $40 million in stolen cryptocurrency funds in one day
CERT-EU	a year ago	FBI Warns of Cryptocurrency Heists by North Korea's Lazarus Group
CERT-EU	a year ago	FBI warns North Korean hackers poised to cash out more than $40 million in bitcoin
CERT-EU	a year ago	FBI Finds 1,580 Bitcoin in Crypto Wallets Linked to North Korean Hackers
Securityaffairs	a year ago	FBI identifies wallets holding cryptocurrency funds stolen by North Korea
CERT-EU	a year ago	FBI: Lazarus hackers readying to cash out $41 million in stolen crypto
CERT-EU	a year ago	FBI Finds 1,580 Bitcoin in Crypto Wallets Linked to North Korean Hackers
CERT-EU	a year ago	North Korea’s Lazarus hackers behind recent crypto heists: FBI
CERT-EU	a year ago	North Korean Affiliates Suspected in $40M Cryptocurrency Heist, FBI Warns
CSO Online	a year ago	North Korean threat actor APT43 pivots back to strategic cyberespionage