Just a month after the North Korea-linked APT hacker group known as Lazarus targeted 3CX in a supply chain attack, Symantec's researchers have found that two infrastructure organizations as well as two businesses involved in financial trading were affected in the same attack.
The initial compromise that affected 3CX — also known as the X-Trader software supply chain attack and first discovered by Mandiant researchers — was a supply chain compromise that "spread malware via a Trojanized version of 3CX's legitimate software that was available to download from their website." This breach caused customers to download malicious versions of the company's video-calling software.
As the investigation unfolds with new information, the names of the two critical infrastructure organizations affected have not been revealed, but they are in the power and energy sector, in the US and Europe, respectively. The attack seems to be financially motivated; while North Korea-sponsored threat actors engage in cyber espionage, they also go after funds for the regime.
If important organizations are being targeted now, it could lead to further exploitation in the future, researchers are warning.
"The impact from these infections is unknown at this time — more investigation is required and is on-going," said Eric Chien, director of security response at Symantec, after stating that the attacks occurred between September and November last year.