Supply chain, Threat Management, Malware

Mandiant bolsters the case that North Korean hackers were behind 3CX supply chain hack

Barbed wire barricade seen in front of the national flag of North Korea

Voice-over IP software provider 3CX has confirmed that the recent supply chain attack was tied to North Korea-backed hackers.  

3CX, which says its phone system is used by over 600,000 companies globally, hired Google-owned cybersecurity firm Mandiant to investigate last month’s massive supply chain attack on its Windows and macOS users.  While that investigation remains ongoing, an interim assessment released today bolsters previous assessments that the hackers were North Korean.

“Based on the Mandiant investigation into the 3CX intrusion and supply chain attack thus far, they attribute the activity to a cluster named UNC4736. Mandiant assesses with high confidence that UNC4736 has a North Korean nexus,” Pierre Jourdan, CISO of 3XC, wrote in a blog post on Tuesday.  

The term "nexus" is often used by threat intelligence firms to denote that a hacking group or campaign may originate in a particular country or be made up of native speakers, but where there isn't conclusive evidence of state direction.

An investigation by Mandiant found the group initially targeted 3CX with a malware strain called TAXHAUL, which decrypts and executes shellcode scripts hidden in a directory that includes a number of other startup installations.

The actor used DLL side-loading to deliver the malware, and TAXHAUL also uses a cryptographic key that is unique to each compromised host, meaning the data can only be decrypted on the infected system.

"The attacker likely made this design decision to increase the cost and effort of successful analysis by security researchers and incident responders," wrote Jourdan.

Since the attack was first disclosed, cybersecurity firm CrowdStrike has attributed the attack with “high confidence” to one of the most prolific North Korean-backed hacker groups which it calls Labyrinth Chollima. In an email to SC Media on Tuesday, a CrowdStrike spokesperson confirmed that Mandiant’s investigation appears to be consistent with their previous attribution.  

Labyrinth Chollima, a subunit of the notorious Lazarus Group, has been linked to several high-profile attacks on cryptocurrency exchanges and mining operations.  

More evidence backs up the attribution to Labyrinth Chollima. Sophos noted in its previous analysis that the code used in the attack had been seen in incidents attributed to the Lazarus Group.

A week after the incident was disclosed, Russia-based antivirus firm Kaspersky added that it observed several cryptocurrency companies being targeted in the 3CX attack with backdoor malware known as Gopuram, which North Korean-backed Lazarus Group has used since at least 2020. 

Mandiant's investigation found two other pieces of malware, which they dub SIMPLESEA and COLDCAT, but note that both appear to be distinct from the Gopuram malware spotted by Kaspersky.

Menghan Xiao

Menghan Xiao is a cybersecurity reporter at SC Media, covering software supply chain security, workforce/business, and threat intelligence. Before SC Media, Xiao studied journalism at Northwestern University, where she received a merit-based scholarship from Medill and Jack Modzelewski Scholarship Fund.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.