A North Korean hacking group has used the Swift network to try to steal more than $1.1 billion dollars from at least 16 financial institutions around the world since 2014, according to security specialist FireEye, which warns that he crooks are still operating.
The North Korean regime has long been suspected of turning to cybercrime as a way to bring in funds to a country under the weight of heavy sanctions.
Recently the US justice department charged an alleged North Korean spy with a host of high-profile cyberattacks, including the $81 million Bangladesh Bank hack, which saw thieves use the Swift messaging system to convince the Federal Reserve Bank of New York to transfer $81 million from the victim's account to accounts they controlled in the Philippines.
While the spy was publicly linked to the Lazarus hacking collective, FireEye says that there are several distinct groups that use similar malware resources and have the backing of the North Korean state.
FireEye has dubbed the group it believes is behind a spate of attacks similar to the Bangladesh Bank hack as APT38, which has been running since at least 2014 and has targeted more than 16 organisations in 11 countries, trying to steal at least $1.1 billion.
APT38 carries out meticulous planning, hiding out in victims' networks for an average of 155 days until it gets what it wants.
First, the gang researches a firm's staffers with likely access to the Swift messaging systems before compromising them, installing reconnaissance malware and internal network monitoring tools. Then fraudulent Swift transactions are set up, with multiple transfers made to accounts in separate countries to make money laundering easier. Finally, evidence is destroyed.
FireEye stresses that APT38 is compromising victims' systems, not the Swift network itself.
Says FireEye: "Despite recent efforts to curtail their activity, APT38 remains active and dangerous to financial institutions worldwide. By conservative estimates, this actor has stolen over a hundred million dollars, which would be a major return on the likely investment necessary to orchestrate these operations.
"Furthermore, given the sheer scale of the thefts they attempt, and their penchant for destroying targeted networks, APT38 should be considered a serious risk to the sector."
The Swift thefts are far from the only cyberattacks being pinned on North Korean actors. This week the US Department of Homeland Security warned that hackers from the rogue state have stolen millions of dollars from ATMs around the world in the past two years.