APT38 is a financially-motivated threat group that is backed by the North Korean regime. The group mainly targets banks and financial institutions and has targeted more than 16 organizations in at least 13 countries since at least 2014. North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea. Some organizations track North Korean clusters or groups such as Bluenoroff, APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.
Name: Nickel Gladstone (SecureWorks), Lazarus Group, Gods Apostles, Gods Disciples, Guardians of Peace, ZINC, Whois Team, Hidden Cobra, Stardust Chollima (CS).
Location: North Korea
Suspected attribution: State-sponsored, Bureau/Unit 211
Date of initial activity: 2007
Targets: Acquisitive crime, targeting financial institutions and operating online criminal activities for financial gain.
Motivation: Financial Gain
Associated tools: AlphaNC, Bankshot, CATCH22, CCGC_Proxy, Ratankba, Server_TrafficForwarder, Wcry, KEYLIME.
Attack vectors: APT38 used a backdoor, QUICKRIDE, to communicate to the C2 server over HTTP and HTTPS. Used a Trojan called KEYLIME to collect data from the clipboard.
How they work: NICKEL GLADSTONE came into prominence in February 2016, when the news broke about Bangladesh Central Bank’s loss of USD $81 million dollars through fraudulent messages in the SWIFT network. Since then, additional financial institutions were discovered to be targets of similar operations, including banks in Vietnam, Ecuador, Taiwan, Chile and India. In February 2017, the group was likely responsible for compromising the Polish Financial Supervision Authority (PFSA) website to target Polish and other banks around the world, spanning in total 104 organizations in 31 countries.
