Connect with us

Hi, what are you looking for?



North Korean 3CX Hackers Also Hit Critical Infrastructure Orgs: Symantec

The North Korean hacking group behind the supply chain attack that hit 3CX also broke into two critical infrastructure organizations in the energy sector.

3CX supply chain hack

The North Korean hacking group behind the cascading supply chain attack that hit 3CX customers also broke into two critical infrastructure organizations in the energy sector and two other businesses involved in financial trading, according to new data from Symantec.

The sprawling attack, which started with a trojanized installer for the X_Trader trading software from Trading Technologies, also raked in high-profile victims beyond 3CX and raised concerns for future downstream impact.

Symantec’s threat intelligence unit warned in new public documentation that the two critical infrastructure organizations are located in the U.S. and Europe and represents a major source of concern.

“It appears likely that the X_Trader supply chain attack is financially motivated, since Trading Technologies, the developer of X_Trader, facilitates futures trading, including energy futures. Nevertheless, the compromise of critical infrastructure targets is a source of concern,” Symanted noted.

“North Korean-sponsored actors are known to engage in both espionage and financially motivated attacks and it cannot be ruled out that strategically important organizations breached during a financial campaign are targeted for further exploitation,” the anti-malware company added.

Symantec did not identify the victim organizations but shared indicators of compromise (IOCs) and other data to help defenders hunt for signs of infections.

“The discovery that 3CX was breached by another, earlier supply chain attack made it highly likely that further organizations would be impacted by this campaign, which now transpires to be far more wide-ranging than originally believed,” the company said.

Advertisement. Scroll to continue reading.

“The attackers behind these breaches clearly have a successful template for software supply chain attacks and further, similar attacks cannot be ruled out,” Symantec added.

As previously reported, the 3CX hack is the first known cascading supply chain attack that started after an employee downloaded compromised software from a different firm.

Mandiant, which helped 3CX investigate the breach, found that the business communication company’s systems were penetrated after an employee downloaded on their personal computer a trojanized installer for the X_Trader trading software from Trading Technologies. 

The X_Trader application was retired in 2020, but it was still available on the company’s website. The malicious version, which the employee downloaded sometime in 2022, was signed with a certificate that was valid until October 2022. 

The malicious X_Trader app delivered a malware named VeiledSignal, which gave the attackers administrator-level access to the 3CX employee’s device. The attackers were able to obtain corporate credentials belonging to the employee, which gave them access to 3CX systems.

Related: Malware Hunters Spot Supply Chain Attack Hitting 3CX Desktop App

Related: Inside the Cascading 3CX Supply Chain Attack 

Related: Mandiant Also Links 3CX Supply Chain Attack to North Korean Hackers

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Threat Intelligence

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...