North Korean Hackers Chained Supply Chain Hacks to Reach 3CXMandiant Concludes 3CX Hack Was Result of Earlier Hack on Trading Software Maker
North Korean hackers' attack on desktop phone developer 3CX was the fruit of a separate and previously undisclosed supply chain attack on a financial trading software developer, is the conclusion of the Mandiant forensics team brought in to investigate.
3CX, which counts multinational corporations including Toyota, Coca-Cola and Air France as customers, disclosed infiltration by hackers into its Windows and macOS source code in late March in an incident researchers were quick to connect with North Korea (see: 3CX Desktop Client Under Supply Chain Attack).
Mandiant investigators hired by 3CX now say the source of the infection was a decommissioned but still downloadable trading software package called X_Trader, made by Chicago-based Trading Technologies. A 3CX employee downloaded the trading package, said Charles Carmakal, Mandiant chief technology officer, during a Wednesday afternoon press briefing.
"We've never seen a software supply chain attack lead to another software supply chain attack," he said. Chaining two software supply chain attacks represents a new level of sophistication for North Korean hackers.
Although the 3CX supply chain attack was likely opportunistic - attackers had no reason to believe X_Trader would lead them to 3CX - the sequence of attacks "shows an increase in cyber offense capability by North Korean threat actors," Carmakal said.
3CX CEO Nick Galea said the company has taken steps to ensure a repeat of the incident can't reoccur. "Our priority throughout this incident has been transparency around what we know as well as the actions we've taken," he said.
A Trading Technologies spokesperson said the company has not had time to verify Mandiant's conclusions. "We have no idea why an employee of 3CX would have downloaded X_Trader," the spokesperson said in a prepared statement. The trading package was intended for institutional derivatives trading and was decommissioned in April 2020. Mandiant believes that North Korean hackers penetrated Trading Technologies in 2022.
The application is no longer available for download. "We would also emphasize that this incident is completely unrelated to the current TT platform," the spokesperson said.
The availability of X_Trader on the Trading Technologies website past its official expiration means "there are very likely other victims out there that don't yet know they're compromised," said Carmakal.
The North Korean threat group responsible for both supply chain attacks, tracked as UNC4736, likely is related to financially motivated Pyongyang hacking activity identified as AppleJeus, Mandiant said.
"These folks are highly resourced, and they are after money, so it shows where North Korea is putting their best cyber teams is really on the financially motivated stuff," said Ben Read, Mandiant director of cyberespionage analysis.
North Korea is the rare country whose state-sponsored hackers attack for their country's financial gain. The hereditary totalitarian regime that has governed the country since 1948 has long underwritten criminal activity in a quest for hard currency it uses to fund development of weapons of mass destruction (see: Banner Year for North Korean Cryptocurrency Hacking).
The X_Trader version downloaded by the 3CX employee came loaded with backdoor malware that Google-owned Mandiant dubs "VeiledSignal." The trading software appeared legitimate since the file and its installer were signed with a digital certificate that has since expired.
The compromised X_Trader and 3CX desktop applications contained, extracted and ran backdoor payloads in the same way. VeiledSignal contains three components: the main backdoor, an injector module and a communications model, Mandiant said. The malware used the Trading Technologies website as command and control.
Google's Threat Analysis Group in March 2022 included the Trading Technologies website in a list of websites compromised by North Korean hackers using a zero-day in the Chrome browser. Google attributed the compromise to AppleJeus.