Exactly what the North Korean hackers were looking to achieve with their interconnected software supply chain attacks is still not entirely clear, but it appears to have been motivated in part by simple theft. Two weeks ago, cybersecurity firm Kaspersky revealed that at least a handful of victims attacked with the corrupted 3CX application were cryptocurrency-related companies based in “West Asia”, though he declined to name them. Kaspersky found that, as is often the case with massive software supply chain attacks, the hackers had filtered out their potential victims and delivered a piece of second-stage malware to only a small fraction of those hundreds of thousands of users. compromised networks, targeting them with “surgical precision.”
Mandiant agrees that at least one target of North Korea-linked hackers is undoubtedly cryptocurrency theft: it targets previous findings of the Google Threat Analysis Group that AppleJeus, a piece of malware linked to the same hackers, was used to attack cryptocurrency services through a vulnerability in Google’s Chrome browser. Mandiant also discovered that the same backdoor in 3CX software was embedded in another cryptocurrency application, CoinGoTrade, and that it shared infrastructure with another backdoor trading application, JMT Trading.
All of that, in combination with the group’s goal of Trading Technologies, points to a focus on cryptocurrency theft, says Ben Read, Mandiant’s head of cyber-espionage threat intelligence. A broad supply chain attack like the one that exploited 3CX’s software “would take you to places where people handle money,” Read says. “This is a very monetization-focused group.”
But Mandiant’s Carmakal notes that given the scale of these supply chain attacks, crypto-focused victims may still be just the tip of the iceberg. “I think we will learn about many more victims over time in relation to one of these two attacks on the software supply chain,” he says.
While Mandiant describes the Trading Technologies and 3CX compromises as the first known instance of one supply chain attack leading to another, researchers have speculated for years as to whether other such incidents were similarly interrelated. The Chinese group known as Winnti or Brass Typhoon, for example, carried out no fewer than six attacks on the software supply chain between 2016 and 2019. And in some of those cases, the method of the hackers’ initial breach was never discovered, and may well have been from an earlier supply chain attack.
Mandiant’s Carmakal notes that there were also indications that the Russian hackers responsible for the Notorious attack on SolarWinds supply chain they were also doing reconnaissance on the software development servers inside some of their victims, and perhaps planning a follow-up attack on the supply chain when they were interrupted.
After all, a group of hackers capable of carrying out a supply chain attack usually manages to cast a wide net that attracts all kinds of victims, some of whom are often software developers offering a unique point of view. powerful from which to track. -In the attack on the supply chain, casting the net once again. If 3CX is, in fact, the first company affected by this type of supply chain chain reaction, it is unlikely that it will be the last.