Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Nation-State

North Korean 3CX Hackers Also Hit Critical Infrastructure Orgs: Symantec

The North Korean hacking group behind the supply chain attack that hit 3CX also broke into two critical infrastructure organizations in the energy sector.

3CX supply chain hack

The North Korean hacking group behind the cascading supply chain attack that hit 3CX customers also broke into two critical infrastructure organizations in the energy sector and two other businesses involved in financial trading, according to new data from Symantec.

The sprawling attack, which started with a trojanized installer for the X_Trader trading software from Trading Technologies, also raked in high-profile victims beyond 3CX and raised concerns for future downstream impact.

Symantec’s threat intelligence unit warned in new public documentation that the two critical infrastructure organizations are located in the U.S. and Europe and represents a major source of concern.

“It appears likely that the X_Trader supply chain attack is financially motivated, since Trading Technologies, the developer of X_Trader, facilitates futures trading, including energy futures. Nevertheless, the compromise of critical infrastructure targets is a source of concern,” Symanted noted.

“North Korean-sponsored actors are known to engage in both espionage and financially motivated attacks and it cannot be ruled out that strategically important organizations breached during a financial campaign are targeted for further exploitation,” the anti-malware company added.

Symantec did not identify the victim organizations but shared indicators of compromise (IOCs) and other data to help defenders hunt for signs of infections.

“The discovery that 3CX was breached by another, earlier supply chain attack made it highly likely that further organizations would be impacted by this campaign, which now transpires to be far more wide-ranging than originally believed,” the company said.

“The attackers behind these breaches clearly have a successful template for software supply chain attacks and further, similar attacks cannot be ruled out,” Symantec added.

Advertisement. Scroll to continue reading.

As previously reported, the 3CX hack is the first known cascading supply chain attack that started after an employee downloaded compromised software from a different firm.

Mandiant, which helped 3CX investigate the breach, found that the business communication company’s systems were penetrated after an employee downloaded on their personal computer a trojanized installer for the X_Trader trading software from Trading Technologies. 

The X_Trader application was retired in 2020, but it was still available on the company’s website. The malicious version, which the employee downloaded sometime in 2022, was signed with a certificate that was valid until October 2022. 

The malicious X_Trader app delivered a malware named VeiledSignal, which gave the attackers administrator-level access to the 3CX employee’s device. The attackers were able to obtain corporate credentials belonging to the employee, which gave them access to 3CX systems.

Related: Malware Hunters Spot Supply Chain Attack Hitting 3CX Desktop App

Related: Inside the Cascading 3CX Supply Chain Attack 

Related: Mandiant Also Links 3CX Supply Chain Attack to North Korean Hackers

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cyberwarfare

Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...