Based on the Symantec’s Threat Hunter Team report, the X_Trader software supply chain attack that led to the 3CX hack last month has reportedly infiltrated a number of important infrastructure companies in the US and Europe.
Through a trojanized installation for the X_Trader program, a threat cell supported by North Korea that was involved in the Trading Technologies and 3CX attacks put the VEILEDSIGNAL on the PCs of victims.
A communication module or destructive shellcode may be injected by the virus into the Chrome, Firefox, or Edge processes running on affected PCs.
Here’s what the company stated in a report released on April 21st:
“Two critical infrastructure firms in the energy industry, one in the US and the other in Europe, have been identified as victims. Moreover, two financial trading firms were also found to have been breached.”
What do investigations say?
The North Korean hacking campaign may have already impacted additional unidentified victims, as it has successfully breached at least four more companies using the trojanized X_Trader software, aside from 3CX.
Symantec’s investigation revealed that 3CX had been compromised by a previous supply chain attack, leading to the possibility of a more widespread campaign than originally anticipated.
Mandiant traced the chain attack on 3CX, which led to a major data breach, to the North Korean-supported threat organization UNC4736.
Operation AppleJeus was carried out by UNC4736, a financially driven organization backed by North Korea’s Lazarus Group, which Google’s Threat Analysis Group (TAG) previously connected to the attack of Trading Technologies’ portal.
Mandiant identified the malicious activity clusters UNC3782 and UNC4469 as associated with UNC4736, based on similarities in their attack methods.