Enterprise phone provider 3CX has confirmed that North Korea–backed hackers were behind last month’s supply chain attack that appeared to target cryptocurrency companies.
3CX, which provides online voice, video conferencing and messaging services for businesses, worked with cybersecurity company Mandiant to investigate the attack. Hackers compromised the company’s desktop phone software used by hundreds of thousands of organizations to plant information-stealing malware inside their customers’ corporate networks.
Pierre Jourdan, chief information security officer at 3CX, said on Tuesday that their investigation confirms that hackers linked to the North Korean regime were behind the attack.
“Based on the Mandiant investigation into the 3CX intrusion and supply chain attack thus far, they attribute the activity to a cluster named UNC4736,” Jourdan said. “Mandiant assesses with high confidence that UNC4736 has a North Korean nexus.”
Cybersecurity giant CrowdStrike last week linked the 3CX breach to hackers it calls Labyrinth Chollima, a subunit of the notorious Lazarus Group, which is known for stealthy hacks targeting cryptocurrency exchanges to fund its nuclear weapons program. Russia-based Kaspersky Lab also attributed the 3CX breach to North Korea.
Kaspersky said in its analysis of the attack that the hackers were seen deploying a backdoor, which it has named “Gopuram,” onto infected systems, noting that the attackers have “a specific interest in cryptocurrency companies.” Kaspersky added that Gopuram was deployed on less than ten machines, indicating that the attackers used this backdoor with “surgical precision.”
In a forum post last week, 3CX CEO Nick Galea said that the company is only aware of “a handful of cases” where malware has been triggered. However, the impact of the attack, along with how 3CX was compromised, remains unknown. The company claims to have over 600,000 business customers worldwide and more than 12 million active daily users.