ETDA ThaiCERT
Report
Search
Home > List all groups > Subgroup: Bluenoroff, APT 38, Stardust Chollima

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Subgroup: Bluenoroff, APT 38, Stardust Chollima

NamesBluenoroff (Kaspersky)
Stardust Chollima (CrowdStrike)
APT 38 (Mandiant)
ATK 117 (Thales)
CountryNorth Korea North Korea
MotivationFinancial crime
First seen2014
DescriptionA subgroup of Lazarus Group, Hidden Cobra, Labyrinth Chollima.

(Kaspersky) The Lazarus Group, a nation-state level of attacker tied to the 2014 attacks on Sony Pictures Entertainment, has splintered off a portion of its operation to concentrate on stealing money to fund itself.
Observed
Tools used
Operations performedOct 2015Duuzer backdoor Trojan targets South Korea to take over computers
Symantec has found that South Korea is being impacted by an active back door Trojan, detected as Backdoor.Duuzer. While the malware attack has not been exclusively targeting the region, it has been focusing on the South Korean manufacturing industry. Duuzer is a well-designed threat that gives attackers remote access to the compromised computer, downloads additional files, and steals data. It’s clearly the work of skilled attackers looking to obtain valuable information.
<https://www.symantec.com/connect/blogs/duuzer-back-door-trojan-targets-south-korea-take-over-computers>
2015SWIFT Attack on a bank in the Philippines
<https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks>
Dec 2015Attempted Vietnamese TPBank SWIFT Attack
<https://www.bankinfosecurity.com/vietnamese-bank-blocks-1-million-online-heist-a-9105>
May 2016SWIFT Attack on Banco del Austro in Ecuador
<https://www.reuters.com/article/us-cyber-heist-swift-specialreport-idUSKCN0YB0DD>
Oct 2016Mexican and Polish Financial Attack
Organizations in 31 countries have been targeted in a new wave of attacks which has been underway since at least October 2016. The attackers used compromised websites or “watering holes” to infect pre-selected targets with previously unknown malware. There has been no evidence found yet that funds have been stolen from any infected banks.
<https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware-0>
2017In this campaign, the group sends spear-phishing emails containing an archived Windows shortcut file. The file names are disguised as security or cryptocurrency related files in order to entice users into executing them.
<https://securelist.com/apt-trends-report-q2-2020/97937/>
Oct 2017SWIFT Attack on Far Eastern International Bank (FEIB) in Taiwan
<https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html>
Jan 2018Attempted heist at Bancomext in Mexico
<https://www.bloomberg.com/news/articles/2018-05-29/mexico-foiled-a-110-million-bank-heist-then-kept-it-a-secret>
May 2018SWIFT attack on Banco de Chile in Chile
<https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/>
Aug 2018SWIFT attack on Cosmos Bank in India
<https://www.darkreading.com/attacks-breaches/north-korean-hacking-group-steals-$135-million-from-indian-bank-/d/d-id/1332678>
Dec 2018ATM breach of Redbanc in Chile
<https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/>
Information<https://threatpost.com/lazarus-apt-spinoff-linked-to-banking-hacks/124746/>
MITRE ATT&CK<https://attack.mitre.org/groups/G0082/>

Last change to this card: 27 August 2020

Download this actor card in PDF or JSON format

Previous: Subgroup: BeagleBoyz
Next: Lead

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key