A successful breach of videoconferencing and business phone company 3CX Ltd. first reported last month was caused by a software supply chain attack on a third party, Google LLC’s Mandiant has revealed for the first time.

The 3CX breach was first detected by customers about March 22 but only came to light a week later when various cybersecurity companies identified it. As part of the cyberattack, the hackers packaged malicious code into the 3CX desktop installer and customers that already had 3CX installed also received an update that contained the malicious code.

Hackers compromising companies is nothing new, but how they did so, in this case, is unique. According to Mandiant, they had compromised the supply chain of another company first.

The other company was futures trading platform provider Trading Technologies International Inc. 3CX hired Mandiant to offer forensic analysis and they found that a 3CX employee had downloaded and installed a compromised version of Trading Technologies software that had been tampered with. Once the software had been installed, it gave the hackers access to the 3CX network, allowing them to move laterally through the network until ultimately breaching 3CX’s Windows and macOS software.

“This is the first time Mandiant has seen a software supply chain attack lead to another software supply chain attack,” the security researchers write.

Although the compromise was only discovered last month, the researchers also note that the Trading Technologies X_TRADER software had been installed by the 3CX employee in April 2022, meaning that Lazarus had access to and had been moving laterally through 3CX’s network for nearly a year.

Mandiant has linked the attack on Trading Technologies and 3CX to threat actor UNC4736, also known as Labyrinth Chollima or AppleJesus. Depending on the source, UNC4736 is either an alternative name for or a subgroup of the infamous North Korean hacking group Lazarus.

A report from ESET s.r.o. points the finger at Lazarus, saying that the gang is undertaking a campaign targeting Linux users that show strong similarities to the attack on 3CX.

Lazarus has a long record of targeting potential victims and is best known for being behind the spread of the WannaCry ransomware in 2017. Previous campaigns include Lazarus targeting Linux systems in December and the group was also linked to the theft of $615 million in cryptocurrency in the hack of the Ronin Network, the blockchain underlying the popular “Axie Infinity” game.

Jeff Williams, co-founder and chief technology officer of application security software platform provider Contrast Security Inc., told SiliconANGLE that though the idea of a “cascading software supply chain compromises” is catchy, it’s the wrong way to think about this.

“This is just an example of an extended software supply chain,” Williams explained. “It’s critical to ask your upstream suppliers about how well their supply chain, including build pipeline and development environments, is protected. Their supply chain is a part of your supply chain.”

James McQuiggan, security awareness advocate at security awareness training company KnowBe4 Inc., warned that organizations should continue to audit and evaluate their supply chain’s cybersecurity programs and culture and take the necessary measures to protect their sensitive data.

“By implementing robust cybersecurity criteria and facilitating collaboration, organizations must mitigate the risk of future attacks and protect their critical assets and data,” McQuiggan added. “As the cybersecurity landscape evolves, remaining vigilant and continually adapting to new threats will be crucial in maintaining a dependable defense against cybercriminals.”

Image: 3CX