Recent activity by North Korea's infamous Lazarus Group provides fresh evidence of the growing threat actor interest in using trusted IT supply chain vendors as entry points to enterprise networks.
Security researchers from Kaspersky recently discovered two separate campaigns where the Lazarus Group infiltrated the network of an IT company — likely as part of a broader strategy to compromise its downstream customers.
In one of the incidents, Lazarus Group gained access to a South Korean security software vendor's network and abused the company's software to deploy two remote access Trojans (RATs) called Blindingcan and Copperhedge on a South Korean think tank's network. The US Cybersecurity & Infrastructure Security Agency (CISA) last year had issued separate alerts — one in August and the other in May — warning of the Lazarus Group using the two RATs to maintain a presence on compromised networks.
The second Lazarus supply chain attack recently observed by Kaspersky researchers involved an IT asset-monitoring product vendor based in Latvia. In this attack, the Lazarus Group once again deployed the Copperhedge backdoor on the technology provider's network.
"This was done in a careful multistage process using two layers of multiple [command and control] servers," says Ariel Jungheit, senior security researcher at Kaspersky. The attack resulted in the threat actors loading and executing the Copperhedge malware in-memory only.
But Jungheit says Kaspersky has been unable to confirm if Lazarus managed to compromise the asset management technology vendor's software products itself. Similarly, Kaspersky has not been able to determine if the Lazarus Group leveraged its access on the asset management software vendor's network to compromise any further victims.
"We did not have visibility into how Lazarus compromised the South Korean security software company nor the asset monitoring technology provider in Latvia," Jungheit says. "We take our findings at face value as an indicator of Lazarus' interest in developing supply chain capabilities."
The Lazarus Group — responsible for the WannaCry ransomware attack and numerous other malicious campaigns — is among a growing number of threat actors that have begun developing capabilities for exploiting vulnerabilities in the IT supply chain to target enterprises.
Just this week, for instance, Microsoft warned about Nobelium — the threat actor behind the SolarWinds breach — targeting trusted cloud and IT service providers in a dangerous new campaign to gain a foothold on their customer networks. Microsoft described the threat actor as having attacked more than 140 service provides since May and breaching 14 of them.
The group has been identified by the federal government as Russia's SVR spy agency.
Growing Attacker Interest
Over the last quarter, Kaspersky observed at least two other threat actors — HoneyMyte and BountyGlad — adopting the same tack. HoneyMyte basically injected a backdoor into an installer package of a fingerprint scanner product that central government employees of a South Asian country are required to use to record attendance.
Kurt Baumgartner, principal security researcher at Kaspersky, says that it is very likely the threat actor did not directly target a specific vendor in this attack. "Instead, the attackers compromised the distribution server for the software itself, which was not run by the vendor" to distribute the Trojanized installer, he says.
In the case of BountyGlad, the attackers replaced the installer for a digital certificate management software client on the vendor's distribution server with a malicious downloader. When executed on a victim system, the downloader executed the legitimate installer as well as additional malicious code, Baumgartner says.
History of Supply Chain Hacks
Supply chain attacks such as these are certainly not new. In 2019, a threat actor called Barium broke into an automated software updated system at hardware maker Asus and used the access to distribute malware to customers of Asus systems. The malware — distributed as part of an operation referred to as ShadowHammer — ended up being executed on over 400,000 systems. In 2017, attackers compromised a software build system at Avast and used the company's CCleaner software to distribute malware.
While these attacks garnered considerable attention, it was the breach that SolarWinds disclosed last December that really focused attention on supply chain security as an issue of critical concern.
"If you consider the impact of supply chain attacks we’ve seen in recent years, it’s not hard to see why an APT threat actor might find it an attractive approach," says David Emm, principal security researcher at Kaspersky. "Supply chain attacks constitute a breach in trust relationship between a supplier and companies downstream."
An attack that leverages a compromised supplier is effectively an insider attack, he says.
Emm says supply chain attacks are within the range of most threat actors because pulling off one involves the same modus operandi used in other attacks — including the use of social engineering or exploiting vulnerabilities in software.
"The key difference, of course," he adds, "is that the target company then becomes a stepping stone into their customers' networks."