3CX Supply Chain Attack: North Korean Hackers Likely Targeted Cryptocurrency Firms
More information has come to light on the recent 3CX supply chain attack, which appears to have been conducted by North Korean hackers with the goal of targeting cryptocurrency companies.
Cybersecurity firm Kaspersky has conducted its own analysis of the incident and found links to attacks observed by the company back in 2020.
Those attacks involved a backdoor dubbed Gopuram, which had been spotted on systems belonging to a Southeast Asian cryptocurrency firm. Gopuram was present at the time on compromised devices alongside AppleJeus, malware linked to North Korea’s Lazarus group.
Kaspersky has seen only few Gopuram infections since 2020, but there was a surge in March 2023 and an analysis revealed that the surge was a result of the 3CX supply chain attack. The hackers behind the 3CX attack likely delivered the Gopuram malware to victims that were deemed of interest.
According to Kaspersky, Gopuram was deployed on less than 10 devices as part of the 3CX attack, mainly belonging to cryptocurrency companies, which suggests that the operation was aimed at this sector.
This would not be surprising considering that North Korean state-sponsored hackers have been known to steal significant amounts of cryptocurrency. UN experts said recently that last year they stole between $630 million and more than $1 billion worth of virtual assets. Cryptocurrency is used by Pyongyang to fund its national priorities and objectives, including cyber operations.
Kaspersky’s investigation further points to North Korean government-backed hackers being behind the 3CX attack, after companies such as CrowdStrike and Sophos also found links to the Lazarus group.
3CX says its business communication products are used by 600,000 companies worldwide, including major brands. The malware distributed through 3CX may have been pushed to thousands of companies, but the hackers were not interested in all of these companies. Instead, based on Kaspersky’s data, they were looking for cryptocurrency companies to which they could deliver the full-fledged Gopuram backdoor, which the security firm believes is the main implant and the final payload in the attack chain.
