(CNN) – assumptions hackers North Korean officials have hacked into a software company that has hundreds of thousands of customers around the world, private investigators said Thursday, in a cyberattack that demonstrates Pyongyang’s advanced cybercrime capabilities.
The hack in software company 3CX, discovered last month, offered the North Koreans a potential entry point into a huge cross-section of multinational companies, from hotel chains to healthcare providers, that use 3CX software for voice and video calls.
The number of companies affected by the hack and what the cybercriminals did by gaining access to the victims’ networks remains unclear. But this is the latest evidence that North Korean cybercriminals are doing everything they can to break into organizations to steal or spy in support of dictator Kim Jong Un’s strategic interests.
According to Charles Carmackal, chief technology officer of Mandiant Consulting, the firm contracted by 3CX to investigate the attack, it demonstrates “a higher level of offensive cyber capability on the part of North Korean agents”.
A recent CNN investigation exposed a rampant attempt by cybercriminals in North Korea to steal cryptocurrency, launder it, and convert it into money that could help fund the regime’s weapons programs. This type of North Korean cyber activity is part of the usual intelligence products provided to senior US officials, including at times President Joe Biden, a former senior US official told CNN.
In the 3CX case, Mandiant said hackers broke into the company’s software production environment by hacking into software made by another company, derivatives trading platform Trading Technologies. According to Mandiant, a 3CX employee downloaded software from defunct Trading Technologies that the hackers manipulated.
“This is the first time we have found concrete evidence that a supply chain attack led to another supply chain attack,” Karmakal told reporters on Wednesday.
However, the impact of the attack is not clear. Any 3CX customers who have downloaded the pirated software will be vulnerable.
Despite this, according to the US cybersecurity firm CrowdStrike, it is likely that the North Koreans chose far fewer victims to carry out surveillance activities on their network.
Georgy Kuchrin, a researcher at Russian cybersecurity firm Kaspersky, told CNN that suspected North Korean cybercriminals used access to 3CX to attack cryptocurrency companies late last month.
Cochrane said his company saw hackers trying to spread malicious code on “less than 10 computers” but blocked their efforts, “so nothing was stolen.”
3CX CEO Nick Galea played down the extent of the March 30 incident, telling CNN that “very few” of his clients appeared to be “really compromised” by hackers. But in an email Thursday, Galea said he didn’t know how many customers eventually downloaded the modified 3CX software, or how many customers saw subsequent hacking activity.
3CX asked its customers to update their software and check if it had been compromised.
Trading Technologies has not yet been able to verify Mandiant’s results because the company became aware of the issue last week, a Trading Technologies spokesperson told CNN Thursday.
“What we know for certain is that 3CX is neither a supplier nor a customer of Trading Technologies,” said a Trading Technologies spokesperson. “We also want to stress that this incident has nothing to do with the current TT platform.”
US officials join the investigation
The hack prompted US officials and private sector executives to determine how many US organizations might be affected.
A spokesperson for the agency told CNN on Thursday that the US Cybersecurity and Infrastructure Security Agency “continues to work with government and private sector partners to understand the implications of this hacking campaign.” “In many cases, the excellent work of the cybersecurity community has prevented significant harm for many potential victims.”
Adam Myers, vice president of intelligence at CrowdStrike, said large-scale supply chain hacking is usually associated with hackers with ties to the state of China or Russia.
“The fact that it’s North Korea … shows that this is an actor who has capabilities and aspirations in the supply chain, and can have influences from them,” Myers told CNN.