Supply chain attacks are an effective vector for attackers to get a big bang for their buck. Once a bad actor is in the network of a software or other supply chain organization, it can gain access to a large swath of the victim’s clients.
The recent 3CX attack demonstrates the broad impact these kinds of attacks have and demonstrates the different uses supply chain attacks have. 3CX, a business communications software, has around 600,000 clients, of which, attackers were able to reach 2,700 systems. From those, the attackers executed their operation with surgical precision- compromising only 10 machines, according to researchers at Kaspersky Labs. In looking into this much narrower set of victims, the motivations of the attackers becomes incredibly clear– steal cryptocurrency.
Researchers at Crowdstrike, Sophos, and SentinelOne have all attributed the attack to North Korea and a group Crowdstrike calls Labyrinth Chollima. This group primarily conducts espionage operations but, as is the case with most groups in North Korea, is likely funding itself through theft operations.
Though all organizations should always prioritize having good visibility into their networks as a way to manage supply chain risk, this is not an attack the majority of organizations should worry about. Financial institutions and others holding large amounts of financial data who use 3CX should conduct an investigation to ensure they are not compromised, but it is unlikely. Cryptocurrency firms should investigate thoroughly and work within their incident response plan to secure their networks.