Exactly what the North Korean hackers sought to accomplish with their interlinked software supply chain attacks still isn’t entirely clear, but it appears to have been motivated in part by simple theft. Two weeks ago, cybersecurity firm Kaspersky revealed that at least a handful of the victims targeted with the corrupted 3CX application were cryptocurrency-related companies based in “Western Asia,” though it declined to name them. Kaspersky found that, as is often the case with massive software supply chain attacks, the hackers had sifted through their potential victims and delivered a piece of second-stage malware to only a tiny fraction of those hundreds of thousands of compromised networks, targeting them with “surgical precision.”
Mandiant agrees that at least one goal of the North Korea-linked hackers is no doubt cryptocurrency theft: It points to earlier findings from Google’s Threat Analysis Group that AppleJeus, a piece of malware tied to the same hackers, was used to target cryptocurrency services via a vulnerability in Google’s Chrome browser. Mandiant also found that the same backdoor in 3CX’s software was inserted into another cryptocurrency application, CoinGoTrade, and that it shared infrastructure with yet another backdoored trading app, JMT Trading.
All of that, in combination with the group’s targeting of Trading Technologies, points to a focus on stealing cryptocurrency, says Ben Read, Mandiant’s head of cyberespionage threat intelligence. A broad supply chain attack like the one that exploited 3CX’s software would “get you in places where people are handling money,” Read says. “This is a group heavily focused on monetization.”
But Mandiant’s Carmakal notes that given the scale of these supply chain attacks, crypto-focused victims may still be just the tip of the iceberg. “I think we’ll learn about many more victims over time as it relates to one of these two software supply chain attacks,” he says.
While Mandiant describes the Trading Technologies and 3CX compromises as the first known instance of one supply chain attack leading to another, researchers have speculated for years about whether other such incidents were similarly interlinked. The Chinese group known as Winnti or Brass Typhoon, for instance, carried out no fewer than six software supply chain attacks from 2016 to 2019. And in some of those cases, the method of the hackers’ initial breach wasn’t ever discovered—and may well have been from an earlier supply chain attack.
Mandiant’s Carmakal notes that there were signs, too, that the Russian hackers responsible for the notorious SolarWinds supply chain attack were also doing reconnaissance on software development servers inside some of their victims, and were perhaps planning a follow-on supply chain attack when they were disrupted.
After all, a hacker group capable of carrying out a supply chain attack usually manages to cast a vast net that pulls in all sorts of victims—some of whom are often software developers that themselves offer a powerful vantage point from which to carry out a follow-on supply chain attack, casting out the net yet again. If 3CX is, in fact, the first company hit with this sort of supply-chain chain reaction, it’s unlikely to be the last.