In September 2017, the CCleaner hack was one of the largest supply chain attacks, infecting over 2.3 million users with a backdoored version of the software.
Today, security researchers disclosed another massive supply chain attack that compromised more than a million computers manufactured by ASUS, a Taiwanese tech giant.
In 2018, between June and November, a group of state-sponsored hackers successfully hijacked the ASUS Live automatic software update server and pushed malicious updates that installed backdoors on over one million Windows computers worldwide.
Asus was informed of the ongoing supply chain attack on January 31, 2019, according to cybersecurity researchers from the Russian company Kaspersky Lab, who discovered and dubbed the attack Operation ShadowHammer.
After analyzing over 200 malicious update samples, researchers determined that hackers did not intend to target all users, but rather a specific list of users whose MAC addresses were hardcoded into the malware.
“We were able to extract over 600 unique MAC addresses from more than 200 attack samples. Obviously, there may be additional samples with different MAC addresses in their list “Researchers assert.
Similar to the CCleaner and ShadowPad attacks, the malicious file was signed with legitimate ASUS digital certificates so that it would appear to be an official software update and remain undetected for an extended period of time.
Researchers have not yet attributed the attack to an APT group; however, certain evidence links the most recent attack to the 2017 ShadowPad incident, which Microsoft attributed to the BARIUM APT actors behind the Winnti backdoor.
Researchers state, “Recently, our colleagues from ESET wrote about another supply chain attack in which BARIUM was also involved, which we believe is also connected to this case.”
At least 57,000 Kaspersky users downloaded and installed the version of ASUS Live Update that contained a backdoor, according to Kaspersky.
“We [researchers] are unable to calculate the total number of affected users based solely on our data; however, we estimate that the true scope of the problem is much larger and may affect more than one million users globally,” Kaspersky says.
According to Symantec’s statement to Vice, the company discovered the malware on over 13,000 machines running its antivirus software.
The majority of victims identified by Kaspersky are from Russia, Germany, France, Italy, and the United States, but the malware infected users from all over the world.
Kaspersky has informed ASUS and other antivirus companies of the attack, while an investigation into the matter is ongoing.
The antivirus company has also released an automated tool for users to determine if they have been specifically targeted by the advanced persistent threat ShadowHammer.