Energy sector orgs in US, Europe hit by same supply chain attack as 3CX

The same initial supply chain attack allegedly launched by North Korean hackers against enterprise phone company 3CX also affected two critical infrastructure organizations based in the United States and Europe.

On Friday, researchers from cybersecurity firm Symantec revealed that trojanized software from the financial services company Trading Technologies impacted two additional organizations in the energy sector, as well as “two other organizations involved in financial trading.”

The existence of the campaign using Trading Technologies’ software was reported Thursday by cybersecurity firm Mandiant, which traced the supply-chain attack on 3CX back to an initial access point: a malicious version of the X_Trader software downloaded by a 3CX employee.

North Korean hackers gained access to accounts through the software and then launched another supply-chain attack impacting 3CX clients and customers.

Symantec noted that it was likely “that further organizations would be impacted by this campaign, which now transpires to be far more wide-ranging than originally believed.”

“The attackers behind these breaches clearly have a successful template for software supply chain attacks and further, similar attacks cannot be ruled out,” they said.

Researchers did not reveal how exactly the organizations were infected by the software but said the infection chain started with a corrupted version of the X_Trader installer – which was digitally signed by the company and made to look benign.

“It appears likely that the X_Trader supply chain attack is financially motivated,” Symantec wrote, “since Trading Technologies … facilitates futures trading, including energy futures.”

The researchers added that North Korean-sponsored actors are “known to engage in both espionage and financially motivated attacks and it cannot be ruled out that strategically important organizations breached during a financial campaign are targeted for further exploitation.”

Late last month, cybersecurity experts were alarmed when 3CX confirmed that its desktop app had been bundled with malware, potentially exposing its 600,000 customers to exploitation. The attack has been compared to the Solarwinds incident, where Russian military hackers attached malware to a tool used widely across the U.S. government.

According to Mandiant, this was the first time a software supply-chain attack — when a threat actor compromises a victim’s network by gaining access to a trusted third party already present in the network — has led to another software supply-chain attack.

Several cyber intelligence firms have confirmed that the campaign was conducted by hackers within the North Korean military’s Lazarus Group.

Researchers from cybersecurity firm ESET said this week that they discovered tools from another Lazarus hacking campaign tied back to the same command-andontrol server involved in the 3CX compromise.

“The stealthiness of a supply-chain attack makes this method of distributing malware very appealing from an attacker’s perspective, and Lazarus has already used this technique in the past,” said ESET researcher Peter Kálnai.