A huge supply chain attack was revealed by security researchers which had compromised more than 1 million computers manufactured by Taiwan-based tech giant ASUS.
The attack occurred last year between June and November when a group of state-sponsored hackers hijacked ASUS Live automatic software update server and inserted malicious updates to install backdoors on around one million Windows computers worldwide.
The attack was discovered by the cybersecurity researchers from Russian firm Kaspersky Lab and had named it as Operation ShadowHammer. They have reported the issue to Asus on Jan 31, 2019.
The researchers on analyzing more than 200 samples of the malicious updates understood that the hackers did not intend to target all the users. They targeted only a particular list of users identified by their unique MAC addresses, which were hardcoded into the malware.
The researchers managed to extract more than 600 unique MAC addresses from over 200 samples used in this attack. They expect that there might be more samples with different MAC addresses in their list.
Similar to CCleaner hack which was one of the largest supply chain attack in 2017, the malicious file was signed with legitimate ASUS digital certificates so that it appears to be an official software update from the company. This helps it to be not detected for a longer period.
Even though the attack has not been credited to any specific APT group, there are some evidences that links this attack to the ShadowPad attack from 2017 which was attributed to the BARIUM APT group. The researchers doubt that BARIUM is involved in this case as well.
The backdoored version of ASUS Live Update was downloaded and installed by at least 57,000 Kaspersky users. However, the total number of users who has been affected cannot be calculated only based on the data. But the problem might be larger and is likely to affect more than million users worldwide.
The attack has affected worldwide but Kaspersky detected majority of the victims from Russia, Germany, France, Italy, and the United States.
ASUS and all antivirus companies has been notified of the attack and the investigation process if going on.
Kaspersky has also released an automated tool for users to check whether they had been targeted by the ShadowHammer advanced persistent threat.