Software supply chain attacks, in which hackers corrupt commonly used applications to push their own code to thousands or even millions of machines have become a scourge, both insidious and potentially huge in the breadth of their impact. But the latest major attack on the software supply chainin which hackers appearing to be working on behalf of the North Korean government hid their code in the installer for a widely used VoIP application known as 3CX seems to have had a prosaic goal so far: to break into a handful of cryptocurrency companies.
Investigators from Russian cybersecurity firm Kaspersky revealed today that they have identified a small number of cryptocurrency-focused companies as at least some of the victims of the 3CX software supply chain attack that unfolded over the past week. Kaspersky declined to name the victim companies, noting that they are based in “Western Asia.”
Security firms CrowdStrike and SentinelOne last week captured the operation on North Korean hackers, who the vendor says compromised 3CX installation software used by 600,000 organizations worldwide. Despite the potentially massive scale of that attack, which SentinelOne dubbed “Smooth Operator,” Kaspersky has now discovered that the hackers combed through victims infected with its corrupted software to ultimately target fewer than 10 machines — at least as far as Kaspersky could perceive. far – and that they seemed to focus on cryptocurrency companies with “surgical precision”.
“This was all to compromise a small group of companies, maybe not just in cryptocurrency, but what we see is that one of the interests of the attackers is cryptocurrency companies,” said Georgy Kucherin, a researcher on Kaspersky’s GReAT. team of security analysts. . “Cryptocurrency companies should be particularly concerned about this attack, as they are the likely targets, and they should scan their systems for further compromises.”
Kaspersky based that conclusion on the discovery that in some cases the 3CX supply chain hackers used their attack to eventually plant a multifaceted backdoor program known as Gopuram on victim machines, which the researchers describe as “the last payload in the attack chain. Kaspersky says the appearance of that malware also represents a North Korean fingerprint: Gopuram has previously been used on the same network as another piece of malware known as AppleJeus, linked to North Korean hackers. It has also previously seen Gopuram connect to the same command-and-control infrastructure as AppleJeus, and Gopuram has previously been used to target cryptocurrency companies. All of this not only suggests that the 3CX attack was carried out by North Korean hackers, but that it may have been designed to breach cryptocurrency companies in order to steal from those companies, a common tactic used by North Korean hackers who were ordered to raise money for Kim Jong-un’s regime.
It has become a recurring theme for sophisticated, state-sponsored hackers to exploit software supply chains to access the networks of thousands of organizations, only to narrow their focus to a few victims. In 2020 infamous Solar Winds espionage campaignFor example, Russian hackers compromised IT surveillance software Orion to send malicious updates to about 18,000 victims, but it appears they stole data from only a few dozen of them. In the previous attack on the supply chain of the CCleaner software, the Chinese hacker group Barium or WickedPanda compromised as many as 700,000 PCs. focus on a relatively short list of technology companies.