North Korean hackers linked to 3CX supply-chain attack, investigation finds

Enterprise phone company 3CX said on Tuesday that a recent supply-chain attack on its network — which was used by hackers to attempt to install malware on clients’ desktops — was very likely conducted by a group connected to North Korea.

The company’s chief information security officer, Pierre Jourdan, shared the interim assessment of the incident provided by cybersecurity firm Mandiant, saying the hack was being attributed to an entity Mandiant tracks as UNC4736 and assessed “with high confidence” has “a North Korean nexus.”

3CX, which says it provides office phone systems to more than 600,000 companies globally, confirmed last month that suspected state-sponsored hackers had compromised its desktop apps for Windows and MacOS and bundled them with malware.

At the time, cybersecurity firm CrowdStrike said there was “suspected nation-state involvement” in the attack by a group it calls Labyrinth Chollima and describes as “one of the most prolific” hacking groups based in North Korea. Other researchers refer to it as the Lazarus Group.

More evidence emerged supporting this attribution when Sophos said a tool the attacker used had previously been seen in incidents attributed to Lazarus — a financially motivated hacking organization that the FBI has linked to multiple cyber heists and allegedly is sponsored by the North Korean government.

“The code in this incident is a byte-to-byte match to those previous samples,” said Sophos in an updated blog post on the incident.

Jourdan described the incident as “a complex supply chain attack” and said the attackers “picked who would be downloading the next stages of their malware," in a statement on the 3CX’s website.

Cybersecurity experts fear that thousands of organizations could have been affected, including some of the largest companies and government agencies in the world.

The NHS has issued a cyber alert with a "High" severity ranking warning about the active intrusion campaign, telling healthcare organizations that “legitimate versions of 3CX DesktopApp have been compromised and are being actively exploited.”