NATION-STATE MONEYMULE'S HUNTING SEASON – APT ATTACKS TARGETING FINANCIAL INSTITUTIONS presented at blackhateu 2017

by Kyoung-ju Kwak, Chi-en (ashley) Shen, Min-chang Jang,

Summary : Lazarus, Bluenoroff, and Andariel are three notorious APT groups from North Korea infamous for deconstruction, cyber heist, and espionage attacks. From DarkSeoul to Sony Picture Entertainment breach, the groups conducted several operations that have received international public attention.Starting in 2016, we have observed a significant change in the targets and motivation of the groups. While the groups have a long history of conducting cybercrime and cyber espionage attacks, their operations have become more aggressive and more focused on the cybercrime attacks targeting financial institutions. In February 2016, a series of attacks from Lazarus group - which leveraged the SWIFT banking network used to target Bangladesh banks - were revealed. Later in May, the global WannaCry ransomware attack was also linked back to the nation. However, these attacks were just the tip of the iceberg. In this talk, we will disclose five recent operations conducted by the groups. These operations targeted banks in Europe and South Korea, an ATM company and Bitcoin exchange service provider. One of the operations involved another ransomware attack conducted before the WannaCry operation. We will introduce the malware, vulnerabilities, IOC and TTP discovered in these attacks. In addition, we will show how we revealed the black-market trading and Bitcoin transaction performed by the attackers. In the hope of making the world a safer place, we disclose this information to help financial institutions react to the substantial threat.