NEW YORK — Suspected North Korean hackers have bugged a behind-the-scenes softwareused by thousands of US companies in a major supply-chain attack that could take months to recover from, security experts said on Tuesday.
The hackers targeted Axios, a program that connects apps and web services, by adding their own malicious software to an update issued Monday, Google and independent cyber researchers said after the hack came to light early on Tuesday.
“Every time you load a website, check your bank balance, or open an app on your phone, there’s a good chance Axios is running somewhere in the background making that work,” said Tom Hegel, a senior researcher at SentinelOne.
The malicious software, which has since been removed, could have given hackers access to a computer’s data including access credentials, which can then be used to carry out additional data theft or other kinds of attacks.
The developers of Axios could not immediately be reached for comment. Rather than a proprietary commercial product, the software is open source, meaning the code can be openly licensed and modified by users.
Experts who are responding to the hack told CNN they expect a long-term campaign to steal cryptocurrency to fund the North Korean regime, which often spends such stolen money on its nuclear and missile programs.
For three hours on Tuesday morning, the Pyongyang-linked hackers had access to the account of a software developer who manages Axios.
The hackers used that access to send malicious updates to any organization that downloaded the software during that time, setting off a scramble by the software developer to regain control of his account and by cybersecurity executives across the country to assess the damage.
Companies in just about every sector of the economy, from health care to finance, use Axios to simplify building and managing their websites. Some cryptocurrency firms use the software, as do tech firms active in the crypto industry.
Mandiant, a cyber-intelligence firmed owned by Google, said that a suspected North Korean hacking group was responsible.
“We anticipate they will try to leverage the credentials and system access they recently obtained in this software supply chain attack to target and steal cryptocurrency from enterprises,” Charles Carmakal, Mandiant’s chief technology officer, told CNN. “It will likely take months to assess the downstream impact of this campaign.
John Hammond, a security researcher at Huntress, said his firm has identified about 135 compromised devices belonging to roughly 12 companies. But that is just a small snapshot of the pool of victims that is expected to surge as organizations discover they were hacked.
It’s only the latest sweeping supply-chain attack attributed to Pyongyang. Three years ago, North Korean operatives allegedly infiltrated another popular software provider that healthcare firms and hotel chains used for voice and video calls.
North Korea’s formidable hacking corps is an essential source of revenue for the nuclear-armed, sanctions-battered country. North Korean hackers have stolen billions of dollars from banks and cryptocurrency firms in the last several years, according to reports from the United Nations and private firms.
About half of North Korea’s missile program has been funded by such digital heists, a White House official said in 2023.
Last year, North Korean hackers stole $1.5 billion in cryptocurrency in a single attack in what was then the largest crypto hack on record.
“North Korea isn’t worried about its reputation or being eventually identified, so while these types of operations are very noisy and high profile, that’s a price they’re willing to pay,” said Ben Read, director of strategic threat intelligence at security firm Wiz, which is also owned by Google. — Agencies
Source: Saudi Gazette