← Home·Gallery·Techniques
Threat Intelligence Tarot
Major Arcana · 9
North Korea (Reconnaissance General Bureau, financial unit)
G0082
risk 4/5
The Alchemist
APT38
Bluenoroff · TEMP.Hermit
BanksSWIFT network participantsFinancial services globally
Active since ~2014 · Currency generation, Sanctions evasion, Financial system manipulation
It turns network packets into gold. APT38 is the finance department of a rogue state - patient, methodical, willing to spend months inside a bank network learning its SWIFT workflows before issuing fraudulent transfers and then burning the evidence on the way out.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1531
Account Access Removal
Impact
T1485
Data Destruction
Impact
T1071.001
Web Protocols
Command and Control
T1565.001
Stored Data Manipulation
Impact
T1134
Access Token Manipulation
Privilege Escalation
Notable Operations
  • Bangladesh Bank $81M SWIFT heist (2016)
  • Banco de Chile $10M theft (2018)
  • Taiwan Far Eastern Bank targeting
  • Multiple African and Asian bank intrusions
Defenses
  • SWIFT Customer Security Programme mandatory controls
    SWIFT CSP
  • Dual-control authorization for large wire transfers
    FFIEC guidance
  • Anomaly detection on SWIFT message patterns
    NIST CSF: DE.AE
  • Out-of-band verification for large or unusual transactions
    FFIEC guidance
Reversed: Their Weakness
The Bangladesh Bank heist almost succeeded perfectly - but the fraudulent transfers were partially flagged by the Federal Reserve Bank of New York, and a typo in one transfer instruction ('fandation' vs 'foundation') triggered a review.

Share this adversary profile

swipe to browse

← PreviousThe SpecterNext →The Whisperer
Related Adversaries
The Oracle
APT34
2 shared TTPs
The Archivist
APT1
2 shared TTPs
The Merchant
FIN7
2 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.