Symantec: More X_Trader Supply Chain Attacks UncoveredEnergy and Financial Sector Firms Breached by North Korean Supply Chain Attack
The North Korean software supply chain attack on a Chicago financial trading software developer infected additional victims besides 3CX, including two critical infrastructure organizations in the energy sector, says the Symantec Threat Hunter Team.
The Broadcom-owned organization says one organization is located in the United States, the other in Europe. Another two organizations involved in financial trading are also affected by North Korea's Trojanization of the X_Trader trading software package made by Trading Technologies. "We expect there are more," said Eric Chien, director of security response, Symantec Threat Hunter Team.
A Trading Technologies spokesperson told Information Security Media Group that fewer than 100 individuals downloaded the compromised X_Trader package between Nov. 1, 2021 and July 26, 2022. "All of those individuals have been notified and advised not to open the software, to delete it immediately, and to contact their firm’s cybersecurity personnel for guidance," the spokesperson added.*
Cybersecurity firm Mandiant on Thursday identified X_Trader software as the source of the software supply chain attack on desktop phone developer 3CX. The 3CX attack marked the first known incident of one software supply chain attack leading to another, Mandiant said (see: North Korean Hackers Chained Supply Chain Hacks to Reach 3CX).
Trading Technologies decommissioned X_Trader in April 2020, but the software remained available for download on its website until sometime last year. Mandiant believes that North Korean hackers penetrated Trading Technologies in 2022. "There was no reason for anyone to download the software given that TT stopped hosting, supporting and servicing X_Trader after early 2020. We would also emphasize that this incident is completely unrelated to the current TT platform," Trading Technologies said a prepared statement sent to reporters earlier this week.
Symantec and Mandiant agree that North Korea's motivation appears financial. The totalitarian Pyongyang-based Kim regime uses cryptocurrency theft to inject scarce hard currency into its moribund economy and to fuel a development of weapons of mass destruction. North Korean hackers illicitly lifted about $1.7 billion worth of digital assets - close to half of the world's cryptocurrency stolen in 2022, blockchain analysis firm Chainalysis said earlier this year (see: Banner Year for North Korean Cryptocurrency Hacking).
*Updated April 22, 2023 02:54 UTC: Adds statement from Trading Technologies.