A Recent Chinese Hack Is a Wake-up Call for the Security of the World’s Software Supply Chain – The Diplomat

No one knows, not even the ghosts (人不知,鬼不觉)
-Chinese idiom

It’s perhaps only a coincidence that there’s a famous Chinese saying that neatly summarizes a recent hack on MiMi, a Chinese messaging app. According to recent reports, a Chinese state-backed hacking group inserted malicious code into this messaging app, essentially pulling off the equivalent of the infamous SolarWinds hack. Users of MiMi were served a version of the app with malicious code added, thanks to attackers taking control of the servers that delivered the app. In short, this was a software supply chain attack in which the software delivery pipeline was compromised.

And no one knew for months.

This hack hasn’t gotten much press in Western media, potentially because this appears to be an example of Chinese state surveillance on targets that aren’t in the United States or Europe. That’s a shame because this attack points to a growing trend of software supply chain attacks, even by the Chinese government. Consequently, Western companies and governments should take note and begin preparing defenses.

Admittedly, not all of the details are known (or will ever be known), but forensic code analysis indicates that a particular Chinese state-backed hacking group (sometimes called Lucky Mouse or Iron Tiger) likely took control of servers that allowed users to download the MiMi Chinese chat application, which is aimed at Chinese-speaking users. The hackers then switched out the original software with a malicious version, adding code into the application that fetched and installed malware.

Enjoying this article? Click here to subscribe for full access. Just $5 a month.

At that point, the malware, unknown to the user, allowed the attackers to monitor and control the software remotely. This appears to have happened in late 2021 and through the summer of 2022. Interestingly, neither the legitimate application nor the malware were digitally signed, which meant that users had no way of knowing that this software was malicious.

Observers could be forgiven for…