N. Korea uses upgraded backdoor scheme to attack U.S. video-conferencing firm 3CX
By Kim Boram
SEOUL, April 20 (Yonhap) -- North Korea has used its upgraded skills to stage a backdoor attack against the network of U.S. virtual phone service company 3CX last month, Mandiant, Google's cybersecurity unit, said Thursday.
3CX, which provides online voice, video conferencing and messaging services for businesses, saw its network chain had been attacked by information-stealing malware planted by a hacker cluster named UNC4736. It is known to be a Lazarus sub-group dubbed Labyrinth Chollima, while Lazarus is one of the North Korean government-led secret operations organizations.
"We believe a North Korean nexus threat actor, who we are calling UNC4736, was behind this attack," Charles Carmakal, consulting chief technology officer at Mandiant, said at an online media briefing.
He said Mandiant, which has worked with 3CX to look into the massive breach, discovered that the hackers have not directly attacked the company's network. Instead, they had planted the malware into a separate software package of X Trader, a U.S. financial trading application, and led to the malicious code being transferred to the 3CX network through a 3CX employee's personal computer.
"What happened was an employee of 3CX installed the X Trader software on his personal computer, and it ended up deploying a backdoor on his personal computer, because the X Trader software was laced with malware that we call a veiled signal."
The Mandiant official said the method employed in the attack was higher and more sophisticated than the previous schemes that North Korea had used in committing cybercrimes.
"This is very notable to Mandiant because this is the first time that we've ever observed a software supply chain attack lead to another software supply chain attack," he said. "A North Korean threat actor really stepped up their skill and their sophistication, such that they're able to conduct a cascading software supply chain attack."
This photo provided by Mandiant shows Charles Carmakal, consulting chief technology officer of the company. (PHOTO NOT FOR SALE) (Yonhap)
The company also said North Korea's latest attack against 3CX is targeting cryptocurrency, widely believed to be a source of funding for the reclusive country's nuclear program.
"I think this is likely financially motivated as sort of an end goal, but this targeting also appears to be somewhat opportunistic in terms of the software supply chain," said Ben Read, head of cyber espionage analysis at Mandiant. "This backdoor would allow the North Korean actors in this case to gather some rudimentary information about the server and, sort of more importantly, pull down additional malware to enable more functionality and spread throughout the network."
brk@yna.co.kr
(END)
-
All BTS members renew contract with BigHit -
Defense minister nominee calls for scrapping inter-Korean military accord -
S. Korea, Turkey push to sign military information protection agreement -
Nuclear envoys of S. Korea, U.S., Japan condemn N. Korea's stipulation of nuclear policy -
Unification minister to visit Britain, Germany
-
All BTS members renew contract with BigHit -
(LEAD) Court rejects arrest warrant for opposition leader Lee over corruption charges -
Defense minister nominee calls for scrapping inter-Korean military accord -
S. Korea, Turkey push to sign military information protection agreement -
(LEAD) Opposition leader Lee attends arrest warrant hearing at Seoul court
-
Top 1 pct singers earn 4.6 bln won per person on average in 2021: data -
S. Korea, U.S. hold joint anti-terrorism exercise -
(Asiad) S. Korea lose to N. Korea in women's football quarterfinals -
S. Korea to extend US$5 mln worth of fertilizer aid to Ukraine via U.S. agency -
(LEAD) Traffic heavy on expressways following Chuseok
