Attacker Targeted Cryptocurrency Firms In 3CX Campaign: Kaspersky Lab

The supply chain attack was about more than just deploying information-stealing malware onto 3CX customer systems, according to Kaspersky researchers.


The threat actor behind the 3CX supply chain compromise appears to have been targeting cryptocurrency companies with the attack, according to findings from Kaspersky Lab released Monday.

The research attempts to answer one of the biggest questions remaining about the supply chain attack against communications app maker 3CX: What was the attacker’s end goal? According to Kaspersky Lab researchers, the attack was about more than just deploying information-stealing malware onto 3CX customer systems, and may have also had immediate financial gain as a motive.

[Related: 3CX Attack Shows The Dangers Of ‘Alert Fatigue’ For Cybersecurity]

Sponsored post

In a post, the researchers wrote that the attacker has been observed deploying a backdoor, which Kaspersky has named “Gopuram,” onto infected systems belonging to unnamed cryptocurrency companies.

“Over the years, we observed few victims compromised with Gopuram, but the number of infections began to increase in March 2023. As it turned out, the increase was directly related to the 3CX supply chain attack,” the researchers wrote in the post, adding that the attacker “specifically targeted cryptocurrency companies.”

According to 3CX, its customer base totals more than 600,000 organizations, with sales exclusively through its network of 25,000 partners. Major customers listed by 3CX include American Express, McDonald’s, Coca-Cola, NHS, MIT, Toyota, BMW and Honda.

The 3CX attack has drawn comparisons to some of the largest breaches to date such as the SolarWinds and Kaseya attacks.

Revenue Generation?

CrowdStrike—whose threat hunters were the first to pinpoint the 3CX campaign as a real attack—has attributed the compromise to a North Korea-affiliated group that it calls Labyrinth Chollima. In a previous interview with CRN, Adam Meyers, head of intelligence at CrowdStrike, said that hackers working on behalf of North Korea “are very capable threat actors.”

Notably, North Korea-affiliated threat actors are known to “engage in revenue generation for the regime” to fund its military activities, since the country has largely been cut off from the global economy, Meyers said in the previous interview.

In their post Monday, Kaspersky Lab researchers said their telemetry shows that “the infostealer is not the only malicious payload deployed during the 3CX supply chain attack.”

“We believe that Gopuram is the main implant and the final payload in the attack chain,” the researchers wrote, although they added that their investigation “is still far from complete.”

The Gopuram backdoor had previously been deployed against a cryptocurrency company in Southeast Asia in 2020, in an attack “attributed to the Korean-speaking threat actor Lazarus,” the Kaspersky researchers wrote.

Alert Fatigue

Nick Galea, founder and CEO of 3CX, told CyberScoop it’s probable that hundreds of thousands of customers did actually download the malicious version of the vendor’s VoIP phone system software. CRN has requested comment from 3CX and an interview with Galea.

While users did report receiving warnings from SentinelOne about the 3CX app as early as March 22, both the users and 3CX support team seemingly assumed that the detection was a false positive, at least in part due to “alert fatigue” from threat detection tools, experts told CRN.

The bottom line is that “there’s way too many alerts. We can’t catch them all,” said Christina Richmond, chief strategy and growth officer at security services and solution provider Inspira Enterprise.

In the future, it’s likely that automation and AI will do more to help with the issue, Richmond said. “But for now, there’s a lot of alert fatigue that leads us to then not pay attention to some of the most critical alerts,” she said.

After determining that the detection of malicious activity coming from the 3CX app was not a false positive, CrowdStrike’s research team publicly disclosed details about the attack in a post March 29.

3CX has hired Mandiant, a foremost incident response provider that’s owned by Google Cloud, to perform an investigation into the attack.

“We’ll continue working closely with our Mandiant advisers to investigate how this incident occurred and put in place measures to prevent any recurrence,” Galea wrote in a post Saturday.