North Korean hackers breach software firm in significant cyberattack

By Sean Lyngaas, CNN

Suspected North Korean hackers infiltrated a software firm that claims hundreds of thousands of customers around the world in a cyberattack that shows Pyongyang’s advanced hacking capabilities, private investigators said Thursday.

The breach of the software firm 3CX, discovered last month, provided a potential foothold for the North Koreans into a huge swath of multinational firms — from hotel chains to health care providers — that use the firm’s software for voice and video calls.

The number of companies affected by the hack and what the hackers ultimately did with access to victim networks remain unclear. But it’s the latest evidence that North Korean hackers are pulling out all the stops to break into organizations to steal or spy on them in support of dictator Kim Jong Un’s strategic interests.

The hack shows “an increased level of cyber offensive capability by North Korean” operatives, said Charles Carmakal, chief technology officer at Mandiant Consulting, which 3CX hired to investigate the hack.

A recent CNN investigation found a rampant effort by North Korean hackers to steal cryptocurrency and launder it into hard cash that might help fund the regime’s weapon’s programs. Such North Korean cyber activity is part of regular intelligence products presented to senior US officials, sometimes including President Joe Biden, a senior US official previously told CNN.

In the case of 3CX, Mandiant said the hackers wormed their way into company’s software production environment by first compromising software made by another firm, derivatives trading platform Trading Technologies. A 3CX employee downloaded the now-defunct Trading Technologies software that the hackers had tampered with, according to Mandiant.

“This is the first time that we’ve ever found concrete evidence of a supply chain attack leading to another supply chain attack,” Carmakal told reporters Wednesday.

Yet the impact of the hack is unclear. Any of 3CX’s customers that downloaded the bugged software would have been susceptible to compromise. But the North Koreans likely singled out a much smaller number of victims for follow-on activity on their network, according to US cybersecurity firm CrowdStrike.

The suspected North Korean hackers did use the 3CX access to target cryptocurrency firms late last month, Georgy Kucherin, a researcher at Russian cybersecurity firm Kaspersky told CNN.

Kucherin said his firm saw the hackers trying to deploy malicious code on “less than 10 computers” but blocked their efforts, “so nothing was stolen.”

Nick Galea, 3CX’s CEO, on March 30 downplayed the scope of the incident, telling CNN that “very few” of his customers appeared to be “actually compromised” by the hackers. But in an email on Thursday, Galea said he doesn’t know how many customers ultimately downloaded the tampered 3CX software, or how many customers saw follow-on hacking activity.

3CX has instructed customers on how to update their software and check for compromise.

Trading Technologies has not been able to verify Mandiant’s findings yet because the company just became aware of the issue last week, a spokesperson for Trading Technologies told CNN on Thursday.

“What we do know with certainty is that 3CX is not a vendor or a customer of Trading Technologies,” the Trading Technologies spokesperson said. “We would also emphasize that this incident is completely unrelated to the current TT platform.”

US officials join the investigation

The hack sent US officials and private executives scrambling to determine how many American organizations might be affected.

The US Cybersecurity and Infrastructure Security agency “continues to work with government and private sector partners to understand impacts from this intrusion campaign,” an agency spokesperson told CNN on Thursday. “In many cases, outstanding work by the cybersecurity community avoided significant harm for many potential victims.”

Sweeping supply chain hacks are typically associated with state-linked hackers from China or Russia, said Adam Meyers, vice president of intelligence at CrowdStrike.

“The fact that it’s North Korea … shows that this is an actor that does have supply chain capabilities and aspirations, and can have effects from them,” Meyers told CNN.

The-CNN-Wire
™ & © 2023 Cable News Network, Inc., a Warner Bros. Discovery Company. All rights reserved.