The cybersecurity industry has scrambled in recent weeks to understand the origins and fallout of the breach of 3CX, a VoIP provider whose software was corrupted by North Korea–linked hackers in a supply chain attack that seeded out malware to potentially hundreds of thousands of its customers. Cybersecurity firm Mandiant now has an answer to the mystery of how 3CX was penetrated by those state-sponsored hackers: The company was one of an untold number of victims infected with the corrupted software of another company—a rare, or perhaps even unprecedented, example of how a single group of hackers used one software supply chain attack to carry out a second one. Call it a supply-chain chain reaction.
Today, Mandiant revealed that it found patient zero for that widespread hacking operation, which hit a significant fraction of 3CX’s 600,000 customers. According to Mandiant, a 3CX employee’s PC was hacked through an earlier software-supply-chain attack that hijacked an application of the financial software firm Trading Technologies, conducted by the same hackers who compromised 3CX. That hacker group, known as Kimsuky, Emerald Sleet, or Velvet Chollima, is widely believed to be working on behalf of the North Korean regime.
Mandiant says the hackers somehow managed to slip backdoor code into an application available on Trading Technology’s website known as X_Trader. That infected app, when it was later installed on the computer of a 3CX employee, then allowed the hackers to spread their access through 3CX’s network, reach a server 3CX used for software development, corrupt a 3CX installer application, and infect a broad swath of its customers, according to Mandiant.
“This is the first time we’ve ever found concrete evidence of a software-supply-chain attack leading to another software-supply-chain attack,” says Mandiant Consulting’s chief technology officer Charles Carmakal. “So this is very big, and very significant to us.”
Mandiant says it hasn’t been hired by Trading Technologies to investigate the original attack that exploited its X_Trader software, so it doesn’t know how the hackers altered Trading Technologies’ application or how many victims—other than 3CX—there may have been from the compromise of that trading app. The company notes that Trading Technologies had stopped supporting X_Trader in 2020, though the application was still available for download through 2022. Mandiant believes, based on a digital signature on the corrupted X_Trader malware, that Trading Technologies’ supply chain compromise occurred before November 2021, but that the 3CX follow-on supply chain attack didn’t occur until early this year.
A spokesperson for Trading Technologies told WIRED that the company had warned users for 18 months that X_Trader would no longer be supported in 2020, and that, given that X_Trader is a tool for trading professionals, there’s no reason it should have been installed on a 3CX machine. The spokesperson added that 3CX was not a customer of Trading Technologies, and that any compromise of the X_Trader application doesn’t affect its current software. 3CX didn’t respond to WIRED’s request for comment.
Exactly what the North Korean hackers sought to accomplish with their interlinked software-supply-chain attacks still isn’t entirely clear, but it appears to have been motivated in part by simple theft. Two weeks ago, cybersecurity firm Kaspersky revealed that at least a handful of the victims targeted with the corrupted 3CX application were cryptocurrency-related companies based in “Western Asia,” though it declined to name them. Kaspersky found that, as is often the case with massive software supply chain attacks, the hackers had sifted through their potential victims and delivered a piece of second-stage malware to only a tiny fraction of those hundreds of thousands of compromised networks, targeting them with “surgical precision.”