The Rise of a Sophisticated Cyber Threat: Unveiling the Hong Kong Supply Chain Cyberattack Takedown

Geopolitics Previously unknown hacking group targets Hong Kong organizations in supply chain cyberattack

A new hacking campaign

In a recent analysis, researchers from the Symantec Threat Hunter Team, a part of Broadcom, have uncovered a previously unknown hacking campaign targeting organizations in Hong Kong and other parts of Asia. The attackers compromised a software update file of the Cobra DocGuard, a file protection and encryption software, with the goal of deploying the Korplug backdoor (also known as PlugX), a common malware. Notably, the malware was signed with a legitimate Microsoft certificate, making it difficult for security software to detect.

Selective targeting and attribution challenges

The campaign, which began in April 2023, was detected on approximately 100 computers across multiple organizations. Considering that the Cobra DocGuard software is installed on only about 2,000 computers, it appears that the attackers are selectively targeting specific victims. Researchers have dubbed the unknown group behind the campaign as “Carderbee.” However, attribution is challenging, as the Korplug backdoor is used by various China-linked Advanced Persistent Threat (APT) groups.

Similarities with previous attacks

The tactics and techniques used in this campaign bear similarities to a prior hacking effort tracked as LuckyMouse (also known as APT27, Emissary Panda, and Bronze Union). In September 2022, the LuckyMouse group compromised Cobra DocGuard update files to target a Hong Kong-based gambling company, delivering a variant of the Korplug malware. These similarities suggest a possible Chinese connection, as China-linked APT groups commonly employ the Korplug backdoor.

Impacts and analysis

The researchers describe the attackers as “patient and skilled actors” who utilize both supply chain attacks and signed malware to fly under the radar. While the specific victims of this campaign were not disclosed, the primary targets appear to be organizations in Hong Kong. The case serves as a reminder that software supply chain attacks present a significant threat to organizations in all sectors. It also highlights the ongoing challenge of attribution in the cyber realm.

Editorial: The broader implications of supply chain attacks

The rising threat of supply chain attacks

The recent supply chain attack targeting organizations in Hong Kong further underscores the growing threat posed by such attacks. In a rapidly digitizing world, where software and hardware components often originate from multiple sources, attackers are finding ingenious ways to infiltrate networks and systems by compromising trusted software updates or introducing malicious components. These attacks have the potential to cause widespread damage and compromise the security of countless organizations and individuals.

The challenges of attribution

One of the significant challenges in dealing with supply chain attacks is attribution. Due to the complex nature of these attacks, it is often difficult to pinpoint the exact source or motive of the attackers. While the Symantec researchers believe there are indications of a Chinese connection in this particular campaign, conclusive attribution remains elusive. This lack of attribution can hinder efforts to hold responsible parties accountable and can make it challenging to develop effective countermeasures.

Necessity for enhanced security measures

The recurring nature of supply chain attacks highlights the urgent need for organizations to bolster their cybersecurity measures. It is no longer sufficient to rely solely on traditional perimeter defenses. Organizations must implement robust security protocols that encompass the entire supply chain, including stringent vetting processes for software vendors and the regular monitoring and validation of software updates. Additionally, organizations should prioritize investments in cutting-edge threat intelligence and detection technologies to detect and mitigate supply chain attacks promptly.

Collaborative efforts for defense

Addressing the threat of supply chain attacks requires a collaborative effort between governments, the private sector, and cybersecurity experts. Governments should play an active role in developing and enforcing regulations to strengthen the security of supply chains. Private sector organizations, especially software vendors, must prioritize security and invest in secure development practices and regular vulnerability assessments. Cybersecurity experts should continue to share knowledge and expertise to stay ahead of evolving attack techniques.

Conclusion

The supply chain attack targeting organizations in Hong Kong serves as a stark reminder of the significant cybersecurity challenges faced by organizations worldwide. As attackers become increasingly sophisticated, it is essential for organizations of all sizes and across all sectors to recognize the potential risks associated with supply chain attacks and take proactive steps to protect their networks and data. By adopting robust security measures and fostering collaborative partnerships, we can enhance our collective defenses against the ever-evolving threat landscape.