The North Korean hacking group behind the cascading supply chain attack that hit 3CX customers also broke into two critical infrastructure organizations in the energy sector and two other businesses involved in financial trading, according to new data from Symantec.
The sprawling attack, which started with a trojanized installer for the X_Trader trading software from Trading Technologies, also raked in high-profile victims beyond 3CX and raised concerns for future downstream impact.
Symantec’s threat intelligence unit warned in new public documentation that the two critical infrastructure organizations are located in the U.S. and Europe and represents a major source of concern.
“It appears likely that the X_Trader supply chain attack is financially motivated, since Trading Technologies, the developer of X_Trader, facilitates futures trading, including energy futures. Nevertheless, the compromise of critical infrastructure targets is a source of concern,” Symanted noted.
“North Korean-sponsored actors are known to engage in both espionage and financially motivated attacks and it cannot be ruled out that strategically important organizations breached during a financial campaign are targeted for further exploitation,” the anti-malware company added.
Symantec did not identify the victim organizations but shared indicators of compromise (IOCs) and other data to help defenders hunt for signs of infections.
“The discovery that 3CX was breached by another, earlier supply chain attack made it highly likely that further organizations would be impacted by this campaign, which now transpires to be far more wide-ranging than originally believed,” the company said.
“The attackers behind these breaches clearly have a successful template for software supply chain attacks and further, similar attacks cannot be ruled out,” Symantec added.
As previously reported, the 3CX hack is the first known cascading supply chain attack that started after an employee downloaded compromised software from a different firm.
Mandiant, which helped 3CX investigate the breach, found that the business communication company’s systems were penetrated after an employee downloaded on their personal computer a trojanized installer for the X_Trader trading software from Trading Technologies.
The X_Trader application was retired in 2020, but it was still available on the company’s website. The malicious version, which the employee downloaded sometime in 2022, was signed with a certificate that was valid until October 2022.
The malicious X_Trader app delivered a malware named VeiledSignal, which gave the attackers administrator-level access to the 3CX employee’s device. The attackers were able to obtain corporate credentials belonging to the employee, which gave them access to 3CX systems.