A Mysterious Hacker Group Is On a Supply Chain Hijacking Spree



[ad_1]

A software supply chain attack is one of the most insidious forms of hacking. Hijackers can smuggle their malware to millions of computers in a single operation, with the slightest sign of foul play.
Now, what's going to be a single group of hackers has managed that trick repeatedly, going on a devastating supply chain spree and becoming more advanced and stealthy as they go.

Over the last three years, supply chains that have been exploited by the software of Chinese-speaking hackers. She 's known as Barium, or sometimes ShadowHammer, ShadowPad, or Wicked Panda, depending on which one. More than anything, hacker team, Barium appears to use supply chain attacks as their core tool. Their attacks all follow a similar pattern: Seed out infections to a massive collection of victims, then go through them to find espionage targets.

Barium's ability to disrupt computers on a large scale, but also because it exploits vulnerabilities in the most basic way.

"They're poisoning trusted mechanisms," says Vitaly Kamluk, director of the Asia research team for Kaspersky's security firm. When it comes to software supply chains attacks, "they're the champions of this, with the number of companies they've breached, I do not think any other groups are comparable to these guys."

In at least two cases-one in which it hijacked software updates from computer maker Asus and another in which it tainted a version of the PC cleanup tool CCleaner-software corrupted by the group has ended up on hundreds of thousands of users computers. In those cases and others, the hackers may have been unpredictable mayhem, says Silas Cutler, a researcher at Alphabet-owned security startup Chronicle who has tracked the Barium hackers. He compares the potential of those cases to the software supply chain that was used to launch the NotPetya cyberattack in 2017; in that case, a Russian hacker group hijacked updates for a piece of Ukrainian accounting software to a destructive destruction and a record breaking $ 10 billion in the world.

"If [Barium] "Cutler says," it would be a far more devastating attack than NotPetya.

So far, the group seems focused on spying rather than destruction. But their repeated supply chain hijackings have a deleterious influence subtler, says Kaspersky's Kamluk. "When they abuse this mechanism, they're undermining trust in the core, foundational mechanisms for verifying the integrity of your system," he says. "This is a lot more important and has a bigger impact than normal exploitation of security vulnerabilities or phishing or other types of attacks."

Tracking Upstream Clues

Kaspersky first spotted the Barium hackers' supply chain attacks in action in July of 2017, when Kamluk says to a partner organization asked his researchers to help get to the bottom of the strange activity on its network. Some of the malware that has not triggered antivirus alerts has been removed to a remote server and hiding its communications in the domain name system protocol. When Kaspersky investigated, it found that the source of that was a backdoored version of NetSarang, a popular enterprise remote management tool distributed by a Korean firm.

More puzzling was that the malicious version of NetSarang's product bore the company's digital signature, its virtually unforgettable stamp of approval. Kaspersky eventually determined, and NetSarang confirmed, that the attackers had breached NetSarang's network and planted their malicious code in its product before the application was cryptographically signed, like slipping cyanide into a jar of pills before the tamper-proof seal is applied.

"We've never seen anything like this before."

Marc-Etienne Léveillé, ESET

Two months later, Antivirus firm has found that Piriform has similarly been breached, and that Piriform's computer cleanup tool has been compromised by over 700,000 machines. Despite layers of obfuscation, Kaspersky found that the code of that backdoor closely matched the one used in the NetSarang case.

Then in January of 2019, Kaspersky found that Taiwanese computer maker Asus had been pushing a similarly backdoored software update to 600,000 of its machines going back at least five months. It has a unique function, it has been used in a similar way by the CCleaner attack, and the malicious code has been introduced in the software. "There are infinite ways to compromised binary, but they stick with this one method," Kamluk says.

When Kaspersky scanned its customers' machines for code similar to the Asus attack, it found the code matched with backdoored versions of video games distributed by three different companies, which had already been detected by security firm ESET: A knockoff zombie game infection, a Korean-made shooter called PointBlank, and a third Kaspersky and ESET decline to name. All signs point to the separate rounds of supply chain attacks being tied to the same hackers.

"Says Marc-Etienne Léveillé, a security researcher with ESET. "We've never seen anything like this before, it's scary, because they have control over a lot of machines."

"Operational Restraint"

Yet by all appearances, the group is casting its vast net to spy on only a tiny fraction of the compromised computers. In the Asus case, it filtered through their MAC addresses, seeking to target only 600 computers out of 600,000 it compromised. In the earlier CCleaner incident, it installed a piece of "second-stage" spyware on only 40 computers among 700,000 it had infected. Barium is one of the world's most popular malware payloads. Only in the CCleaner case did you have a third-stage spyware that is a keylogger and password-stealer. It is not a profit-focused cybercriminal operation that says that the group is bent on spying, and its tight targeting.

"It's unbelievable that they've left these victims on the table and only targeted at a small subset," says Chronicle's Cutler. "The operational restraint they must carry with them to the highest quality."

It's not clear exactly how the Barium hackers are breaching the companies which software they hijack. But Kaspersky's Kamluk guesses that in some cases, one supply chain The CCleaner Attack, for Instance, targeted Asus, which may have given the company its updates. That suggests the hackers may be refreshing their vast collection of compromised machines with interlinked supply chain hijackings, while simultaneously combing that collection for specific espionage targets.

Simplified Chinese, Complicated Tricks

Barium's exact identity remains a mystery. But researchers note that its hackers seem to speak Chinese, likely live in mainland China, and that the majority of their targets seem to be organizations in Asian countries like Korea, Taiwan, and Japan. Kaspersky has found Simplified Chinese Artifacts in its code, and in one case the group used Google Docs as a command-and-control mechanism, letting slip a clue: and prevent Google from deleting it with a country code of +86, indicating mainland China. In its most recent video game supply chain attacks, the hackers' backdoor was designed to be more effective and easier to control. Russian.

More tellingly, clues in Barium's code also connect it to known, likely Chinese hacker groups. Axiom or APT17, which shares with the Chinese state-sponsored spying group known as Axiom or APT17. But Kaspersky calls Winnti, which similarly showed a pattern of stealing digital certificates from video game companies. Confusingly, the Winnt group has been considered to be a hacker, China-based hackers, according to the Crowdstrike. "They may have been freelancers who joined a larger group than it is now focused on espionage," says Michal Salat, head of threat intelligence at Avast.

Regardless of its origins, it's Barium's future that worries Kaspersky's Kamluk. He notes that the group's malware has become stealthier-in the Asus attack, the company's tainted code has a list of targets that it would not have to communicate with a command-and-control server, network signal that allowed Kaspersky to find the group after its NetSarang attack. And in the video game hijacking case, Barium went so far to its original version of the Microsoft Visual Studio compiler that the game developers were using-essentially hiding one supply chain attack within another.

"There's a constant evolution of their methods, and it's growing in sophistication," Kamluk says. "As time passes, it's going to become harder and harder to catch these guys."


More Great WIRED Stories

[ad_2]

Source link