The X_Trader software supply chain attack that led to the 3CX breach last month also affected at least several critical infrastructure organizations in the US and Europe, according to Symantec’s Threat Hunter team.
A North Korean-backed threat group linked to the Trading Technologies and 3CX attacks used a trojanized installer for the X_Trader software to deploy the VEILEDSIGNAL multi-stage modular backdoor on victim systems.
Once installed, the malware can execute malicious shellcode or inject a communication module into Chrome, Firefox, or Edge processes running on compromised systems.
“Initial investigation by Symantec’s Threat Hunter team has so far revealed that the victims include two critical infrastructure organizations in the energy sector, one in the United States and the another in Europe,” the company said. said in a report published today.
“In addition to this, two other organizations involved in financial trading were also breached.”
While the compromise of Trading Technologies’ supply chain is the result of a financially motivated campaign, the breach of several critical infrastructure organizations is worrying, given that North Korean-backed hacking groups are also known for cyber espionage.
It is very likely that the strategic organizations compromised in this supply chain attack will also be targeted for further exploitation.
Although Symantec did not name the two energy industry organizations, Eric Chien, director of the Symantec Threat Hunter Security Response Team, told BleepingComputer that they are “providers of ‘energy generating and supplying power to the grid’.
Large-scale attack on the supply chain
After hacking at least four other entities in addition to 3CX using the trojanized X_Trader software, it is also highly likely that the North Korean hacking campaign has already affected other victims yet to be discovered.
“The discovery that 3CX was hacked by another earlier supply chain attack made it highly likely that other organizations would be impacted by this campaign, which now turns out to be much more extensive than previously thought. origin,” Symantec added.
“The attackers behind these breaches clearly have a successful pattern for software supply chain attacks and furthermore similar attacks cannot be ruled out.”
On Thursday, Mandiant linked a North Korean threat group it tracks as UNC4736 to the supply chain cascade attack that hit VoIP company 3CX in March.
UNC4736 is linked to the financially motivated North Korean-sponsored Lazarus Group behind Operation AppleGames [1, 2, 3]previously related by Google’s Threat Analysis Group (TAG) to the compromise of the Trading Technologies website.
Based on the overlapping attack infrastructure, Mandiant also connected UNC4736 to two APT43 malicious activity clusters tracked as UNC3782 and UNC4469.