The Advanced Persistent Threat (APT) group, APT38, is a North Korean state-sponsored actor responsible for highly destructive attacks on financial institutions. To date, the group is responsible for approximately $1.1 billion in attempted thefts throughout the world. Despite being financially motivated the group tends to operate more along the lines of an espionage group. They conduct reconnaissance and move stealthily around an infected environment. APT38 is also known to share malware and resources with other North Korean APT groups. They also have ties with the group responsible for the WannaCry ransomware as well as TEMP.Hermit, which generally targets Defense and Energy sectors. The malware developed by the group, Emotet, has also been used to deliver the Ryuk Ransomware strain that affected more than 100 U.S. businesses since August of 2018. As with most malware infections, Emotet is delivered through targeted phishing campaigns. The emails usually have a malicious attachment with the subject lines: “Invoice” or “Payment for your services”. The E-ISAC reported Emotet activity seen in the ERO. Again, it is imperative organizations train their employees on how to spot and avoid phishing emails. The following are the operational stages for APT38: 1. Information Gathering  Research the employees  Research third-party vendors 2. Initial Compromise  Phishing campaigns  Watering hole attacks  Linux server recon targeting Apache Struts Massive DDoS Attacks vulnerabilities Despite a downward trend throughout 2018, 3. Internal Reconnaissance Distributed Denial of Service (DDoS) attacks have  Deploy additional malware to gather network come back with a vengeance and are massive. topology and credentials  Exploit internal tools including: Sysmon, net.exe, Attacks larger than 100 Gbps saw an explosive Windows CMD for system scans 967% increase in the first quarter of 2019 when 4. Latteral Movement to SWIFT Servers compared to the same time frame in 2018. The largest attack was 586 Gbps.  Install malware and network monitoring tools on SWIFT systems Even though the largest attacks grew the most,  Deploy active and passive backdoors small attacks also saw a 257% increase with the 5. Transfer Funds majority being under 5 Gbps.  Deploy malware to insert fraudulent SWIFT The attacks are utilizing a variety of ports and transaction and history modification protocols to identify vulnerabilities to exploit. 6. Obfuscation & Evidence Destruction They are often targeting multiple attack vectors  Securely deletes logs and files not using and mutating throughout the process. non-public malware  Deploy and execute disk-wiping malware There are plenty of tools out there that can aid in the protection against DDoS attacks, however,  Use publicly available ransomware to delay investigations giving time to destroy additional nothing can replace having talented cybersecurity evidence staff on hand.