At least six other organizations were also infiltrated
As it turns out, ASUS was not the only company targeted by supply chain attacks during the ShadowHammer hacking operation uncovered by Kaspersky Lab and we’re now learning that at least six other organizations have been infiltrated by hackers.
The Taiwanese hardware maker’s supply chain was compromised by trojanizing its ASUS live software updater which was eventually downloaded and installed on tens of thousands of customer computers according to experts’ estimations.
However, ASUS wasn’t the only company which had its IT infrastructure infiltrated during Operation ShadowHammer since Kaspersky’s researchers were able to find a number of other similar malware samples that were also signed with legitimate certificates.
- Attacking the supply chain – should your business be worried?
- Supply chain attacks: when things go wrong
- Asus responds to laptop hacking attack
The cybersecurity firm discovered that the ASUS samples and the newly discovered ones were both using very similar algorithms to calculate API function hashes. Additionally the IPHLPAPI.dll was used within all of the malware samples.
Besides ASUS, three Asian gaming companies (Electronics Extreme, Innovative Extremist and Zepetto) also fell victim to Operation ShadowHammer and Kaspersky also discovered that another video game company, a conglomerate holding company and a pharmaceutical company in South Korea were targets as well.
The researchers did not name the three new victims as they are still in the process of alerting them regarding the supply chain attacks they suffered.
The attackers that targeted the three Asian gaming companies were able to drop a malicious payload designed to collect system information and download additional payloads from its command-and-control (C&C) server.
Once installed on a user’s system, the trojanized games first check to see if traffic and processor monitoring tools are running or if the system language is set to either Simplified Chinese or Russian. If any of these checks come back as true, the backdoor is programmed to stop execution automatically.
Kaspersky provided more details on the nature of Operation ShadowHammer in a blog post, saying:
“We believe this to be the result of a sophisticated supply chain attack, which matches or even surpasses the ShadowPad and the CCleaner incidents in complexity and techniques. The reason that it stayed undetected for so long is partly the fact that the trojanized software was signed with legitimate certificates (e.g. “ASUSTeK Computer Inc.”).”
If you have an ASUS computer, it is highly recommended that you download and update to the latest version of the ASUS Live Update Utility to prevent falling victim to any further attacks.