According to Microsoft, a North Korean threat group known as Diamond Sleet (Zinc) hacked into CyberLink’s (a Taiwanese software company that develops multimedia software, such as PowerDVD, and AI facial recognition technology²) systems and modified a legitimate application installer to include malicious code². This code was designed to download, decrypt and load a second-stage payload, which is a malware called LambLoad². The malicious installer was signed with a valid CyberLink certificate and hosted on legitimate update infrastructure, making it difficult to detect².
Diamond Sleet is a sub-group of the notorious Lazarus Group, a state-sponsored hacking group that has been linked to various cyberattacks against governments, financial institutions, media outlets, and other organizations around the world³. Diamond Sleet has been conducting attacks for data theft, espionage, destruction and financial gain². In the past, it was observed targeting security researchers, penetration testers, and cybersecurity and tech company employees².
Microsoft detected the first activity related to the malicious CyberLink installer on October 20, 2023, with the file reaching more than 100 devices in Japan, Taiwan, Canada and the United States². The LambLoad malware is designed to check the compromised host for the presence of security software from CrowdStrike, FireEye and Tanium before executing malicious code². If such security products are detected, only the legitimate CyberLink application is run, otherwise, the malware proceeds to perform malicious actions². Microsoft has not seen any hands-on-keyboard activity as part of this campaign, but noted that the threat actor is known to steal sensitive data from victims, compromise software build environments, move downstream to other victims, and establish persistent access².
This is not the first time that Diamond Sleet has used a supply chain attack to target its victims. In March 2023, the group was found to have compromised another software company, Trading Technologies, and used its software to infect 3CX, a communications software provider that claims hundreds of thousands of customers around the world⁴. The hackers then used 3CX’s software to target cryptocurrency firms in a cyberattack that shows Pyongyang’s advanced hacking capabilities⁴⁵.
Microsoft has made available indicators of compromise (IoCs) to help defenders detect Diamond Sleet activity on their network². The company also advised customers to use multi-factor authentication, enable device encryption, and install security updates to protect themselves from such attacks².
A supply chain attack is a type of cyberattack that targets the software development or distribution process, aiming to compromise the software before it reaches the end users¹. By exploiting the trust between software vendors and customers, attackers can gain access to a large number of potential victims and cause significant damage¹.
(1) North Korean Software Supply Chain Attack Hits North America, Asia. https://www.securityweek.com/north-korean-software-supply-chain-attack-hits-north-america-asia/.
(2) North Korean hackers breach software firm in significant cyberattack – CNN. https://www.cnn.com/2023/04/20/politics/north-korea-hacking-supply-chain-3cx-mandiant/index.html.
(3) Microsoft: Lazarus hackers breach CyberLink in supply chain attack. https://www.bleepingcomputer.com/news/security/microsoft-lazarus-hackers-breach-cyberlink-in-supply-chain-attack/.
(4) North Korea-backed hackers target CyberLink users in supply-chain …. https://techcrunch.com/2023/11/22/north-korea-backed-hackers-target-cyberlink-users-in-supply-chain-attack/.
(5) Massive 3CX Supply-Chain Hack Targeted Cryptocurrency Firms. https://www.wired.com/story/3cx-supply-chain-attack-north-korea-cryptocurrency-targets/.