Truly scary story about popular program updates being "contaminated".
A Mysterious Hacker Group Is On a Supply Chain Hijacking Spree
by Andy Greenberg
A software supply chain attack represents one of the most insidious forms of hacking. By breaking into a developer's network and hiding malicious code within apps and software updates that users trust, supply chain hijackers can smuggle their malware onto hundreds of thousands—or millions—of computers in a single operation, without the slightest sign of foul play. Now, what appears to be a single group of hackers has managed that trick repeatedly, going on a devastating supply chain hacking spree—and becoming more advanced and stealthy as they go.
Over the last three years, supply chain attacks that exploited the software distribution channels of at least six different companies have now all been tied to
a single group of likely Chinese-speaking hackers. They're known as Barium, or sometimes ShadowHammer, ShadowPad, or Wicked Panda, depending on which security firm you ask. More than perhaps any other known hacker team, Barium appears to use supply chain attacks as their core tool. Their attacks all follow a similar pattern: Seed out infections to a massive collection of victims, then sort through them to find espionage targets.
The technique disturbs security researchers not only because it demonstrates Barium's ability to disrupt computers on a vast scale, but also because it exploits vulnerabilities in the most basic trust model governing the code users run on their machines.
"They're poisoning trusted mechanisms," says Vitaly Kamluk, the director of the Asia research team for security firm Kaspersky. When it comes to software supply chain attacks, "they’re the champions of this. With the number of companies they’ve breached, I don’t think any other groups are comparable to these guys."
In at least two cases—one in which it hijacked software updates from computer maker Asus and another in which it tainted a version of the PC cleanup tool CCleaner—software corrupted by the group has ended up on hundreds of thousands of unwitting users' computers. In those cases and others, the hackers could easily have unleashed unprecedented mayhem, says Silas Cutler, a researcher at Alphabet-owned security startup Chronicle who has tracked the Barium hackers. He compares the potential of those cases to the software supply chain attack that was used to launch the NotPetya cyberattack in 2017; in that case, a Russian hacker group hijacked updates for a piece of Ukrainian accounting software to seed out a destructive worm and caused a record-breaking $10 billion in damage to companies around the world.
"If [Barium] had deployed a ransomware worm like that through one of these attacks, it would be a far more devastating attack than NotPetya," Cutler says.
So far, the group seems focused on spying rather than destruction.
Story Continues