G0082 · 43 ATT&CK techniques · 0 correlated reports

APT38

Aliases: NICKEL GLADSTONE, BeagleBoyz, Bluenoroff, Stardust Chollima, Sapphire Sleet, COPERNICIUM

APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau. Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext and Banco de Chile ; some of their attacks have been destructive. North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

Open interactive actor investigation

ATT&CK techniques

T1486
Data Encrypted for Impact T1033
System Owner/User Discovery T1112
Modify Registry T1049
System Network Connections Discovery T1070.004
File Deletion T1056.001
Keylogging T1518.001
Security Software Discovery T1543.003
Windows Service T1189
Drive-by Compromise T1083
File and Directory Discovery T1059.003
Windows Command Shell T1059.005
Visual Basic T1529
System Shutdown/Reboot T1071.001
Web Protocols T1105
Ingress Tool Transfer T1562.003
Impair Command History Logging T1027.002
Software Packing T1217
Browser Information Discovery T1070.001
Clear Windows Event Logs T1070.006
Timestomp T1485
Data Destruction T1110
Brute Force T1135
Network Share Discovery T1082
System Information Discovery T1565.002
Transmitted Data Manipulation T1561.002
Disk Structure Wipe T1053.005
Scheduled Task T1588.002
Tool T1505.003
Web Shell T1115
Clipboard Data T1562.004
Disable or Modify System Firewall T1218.011
Rundll32 T1565.003
Runtime Data Manipulation T1106
Native API T1218.001
Compiled HTML File T1204.002
Malicious File T1565.001
Stored Data Manipulation T1005
Data from Local System T1059.001
PowerShell T1053.003
Cron T1566.001
Spearphishing Attachment T1569.002
Service Execution T1057
Process Discovery

Correlated CTI and IR reports

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research