Posted on April 21, 2023 at 5:19 PM

North Korean hackers target 3CX software firm highlighting sophisticated hacking capabilities

North Korean hackers gained unauthorized access to a software company claiming to have hundreds of thousands of customers globally. The attack on the 3CX software company highlighted the advanced hacking capabilities of North Korea.

North Korean hackers target 3CX software firm

The breach against 3CX was reported last month, and it showed the extent to which hackers in North Korea have been targeting multinational companies. This attack poses a huge risk as a wide range of organizations, including hotel chains and healthcare providers, use the software supported by the firm to make voice and video calls.

The number of companies that were compromised because of this hack remains unclear. Moreover, no details explain what the attackers achieved once they infiltrated the victim networks. However, this breach is the latest evidence showing that North Korean hackers have been breaking into an organization to steal or spy on them to meet the strategic interests of Pyongyang.

3CX hired the Mandiant Consulting company to investigate this hack. One of the officials at Mandiant said that this hack illustrated a high level of cyber offensive capability by hackers in North Korea.

According to investigations, there has been an increased effort from North Korean hackers to target the cryptocurrency industry. These hackers have been stealing cryptocurrencies and laundering them through coin mixer tools. The stolen cryptocurrencies are being used to fund the country’s weapons program.

The cyber activity is happening in North Korea as part of regular intelligence reports being submitted to senior officials in the US government. A report by the UN released last year also acknowledged that North Korean hackers have been stealing cryptocurrencies to fund the country’s missile program.

In the recent attack against 3CX, the Mandiant cybersecurity company said that the hackers warmed their way into the software production environment at the company. The exploit conducted by the hackers started with the attackers initially compromising the software created by another firm known as Trading Technologies.

An employee at 3CX downloaded the now-defunct software created by the derivatives trading platform. The hackers had already tampered with the software, according to Mandiant. The researchers noted that this created the initial point of compromise that allowed the North Korean hackers to infiltrate 3CX systems.

The security researchers at Mandiant said it was the first time the company had detected solid evidence showing “a supply chain attack leading to another supply chain attack.”

However, the effect of this breach on 3CX has remained unclear. Any customers of the software firm that downloaded the affected software are susceptible to compromise. There is also a likelihood that the North Korean hackers singled out a small section of the victims to follow up on the activity on the network.

The North Korean hackers also used the 3CX access to target firms operating in the cryptocurrency sector towards the end of last month. A researcher at the Kaspersky cybersecurity firm said that his firm had seen hackers deploying malicious code on less than ten computers. However, Kaspersky thwarted the attack, and no data was stolen.

The CEO of 3CX, Nick Galea, noted that only a few customers had been compromised because of the breach on the company. However, the CEO noted that he did not know the number of customers that had downloaded the compromised software or detected the follow-on breach.

The software company has shared details with its customers on how to update their software and check whether they were compromised. Trading Technologies has not verified the findings made by Mandiant, saying that the company only became aware of the matter last week.

A Trading Technologies spokesperson said, “What we do know with certainty is that 3CX is not a vendor or a customer of Trading Technologies. We would also emphasize that this incident is completely unrelated to the current TT platform.”

US officials concerned with these hacking activities

This hacking attack resulted in US officials and private executives seeking to determine the number of American organizations that might have been affected. The US Cybersecurity and Infrastructure Security Agency (CISA) said it was working with the government and the private sector to understand the effect of this campaign.

The spokesperson from the agency said that in most cases, the work done by the cybersecurity community ensured there was no significant harm caused by most of the victims. These supply chain hacks are usually linked with state-sponsored hackers in China and Russia.