Massive 3CX Supply-Chain Hack Targeted Cryptocurrency Firms

Software supply-chain attacks, in which hackers corrupt widely used applications to push their own code to thousands or even millions of machines, have become a scourge, both insidious and potentially huge in the breadth of their impact. But the latest major software supply-chain attack, in which hackers who appear to be working on behalf of the North Korean government hid their code in the installer for a common VoIP application known as 3CX, seems so far to have had a prosaic goal: breaking into a handful of cryptocurrency companies.

Researchers at Russian cybersecurity firm Kaspersky today revealed that they identified a small number of cryptocurrency-focused firms as at least some of the victims of the 3CX software supply-chain attack that’s unfolded over the past week. Kaspersky declined to name any of those victim companies, but it notes that they’re based in “western Asia.” 

Security firms CrowdStrike and SentinelOne last week pinned the operation on North Korean hackers, who compromised 3CX installer software that’s used by 600,000 organizations worldwide, according to the vendor. Despite the potentially massive breadth of that attack, which SentinelOne dubbed “Smooth Operator,” Kaspersky has now found that the hackers combed through the victims infected with its corrupted software to ultimately target fewer than 10 machines—at least as far as Kaspersky could observe so far—and that they seemed to be focusing on cryptocurrency firms with “surgical precision.”

“This was all just to compromise a small group of companies, maybe not just in cryptocurrency, but what we see is that one of the interests of the attackers is cryptocurrency companies,” says Georgy Kucherin, a researcher on Kaspersky’s GReAT team of security analysts. “Cryptocurrency companies should be especially concerned about this attack because they are the likely targets, and they should scan their systems for further compromise.”

Kaspersky based that conclusion on the discovery that, in some cases, the 3CX supply-chain hackers used their attack to ultimately plant a versatile backdoor program known as Gopuram on victim machines, which the researchers describe as “the final payload in the attack chain.” Kaspersky says the appearance of that malware also represents a North Korean fingerprint: It has seen Gopuram used before on the same network as another piece of malware, known as AppleJeus, linked to North Korean hackers. It’s also previously seen Gopuram connect to the same command-and-control infrastructure as AppleJeus, and has seen Gopuram used previously to target cryptocurrency firms. All of that suggests not only that the 3CX attack was carried out by North Korean hackers, but that it may have been intended to breach cryptocurrency firms in order to steal from those companies, a common tactic of North Korean hackers ordered to raise money for the regime of Kim Jong-Un.

It has become a recurring theme for sophisticated state-sponsored hackers to exploit software supply chains to access the networks of thousands of organizations, only to winnow their focus down to a few victims. In 2020’s notorious Solar Winds spy campaign, for instance, Russian hackers compromised the IT monitoring software Orion to push malicious updates to about 18,000 victims, but they appear to have stolen data from only a few dozen of them. In the earlier supply chain compromise of the CCleaner software, the Chinese hacker group known as Barium or WickedPanda compromised as many as 700,000 PCs, but similarly chose to target a relatively short list of tech firms.