Mandiant Attributes Supply Chain Attack To North Korean Group, 3CX Says

The disclosure appears to confirm an earlier attribution by CrowdStrike to a group working on behalf of North Korea’s government.


Mandiant has attributed the 3CX supply chain compromise with “high confidence” to a threat actor in North Korea, a 3CX executive said in a post Tuesday.

The disclosure appears to confirm an earlier attribution by CrowdStrike—whose threat hunters were the first to pinpoint the 3CX campaign as a real attack—to a group working on behalf of North Korea’s government.

[Related: 3CX Attack Shows The Dangers Of ‘Alert Fatigue’ For Cybersecurity]

Sponsored post

In an email to CRN Tuesday, CrowdStrike said that based on the analysis posted by 3CX, it appears Mandiant is most likely referring to the same North Korean threat actor.

3CX, a maker of communications software including the VoIP phone system app targeted in the attack, has said that its customer base totals more than 600,000 organizations, with sales exclusively through its network of 25,000 partners. Major customers listed by 3CX include American Express, McDonald’s, Coca-Cola, NHS, Toyota, BMW and Honda.

CrowdStrike has attributed the 3CX compromise to a North Korea-affiliated group that it calls Labyrinth Chollima. Mandiant has attributed the campaign to a threat actor it’s referring to as UNC4736, which “has a North Korean nexus,” according to the blog post from 3CX CISO Pierre Jourdan.

Mandiant, a foremost incident response provider that’s owned by Google Cloud, has been hired by 3CX to perform an investigation into the attack, and the attribution to a North Korean threat actor is “based on the Mandiant investigation into the 3CX intrusion and supply chain attack thus far,” Jourdan wrote.

CrowdStrike’s attribution to the threat actor working for North Korea is based on the use of certain technology, infrastructure, installation techniques and command-and-control techniques previously associated with the group, according to Adam Meyers, head of intelligence at CrowdStrike.

In a previous interview with CRN, Meyers said that the evidence pointing to North Korea is significant because “you don’t typically hear about [the country] in the same breath as supply chain attacks.” Still, while many tend to write off North Korea as a threat due to its stature overall, “North Korea is extremely confident and capable” when it comes to malicious cyber activity, he said.

“The reality is that they’ve been looking at cyber capabilities since the ‘90s,” Meyers said. For instance, “they train and recruit down to the middle school level inside of North Korea,” he said.

Notably, North Korea-affiliated threat actors are known to “engage in revenue generation for the regime” to fund its military activities, since the country has largely been cut off from the global economy, Meyers said in the previous interview.

According to findings from Kaspersky Lab, the threat actor behind the 3CX supply chain compromise appears to have been targeting cryptocurrency companies with the attack.

CRN has requested comment from 3CX and an interview with Nick Galea, founder and CEO of 3CX.

Galea told CyberScoop it’s probable that hundreds of thousands of customers did actually download the malicious version of the vendor’s VoIP phone system software.

In a post Monday, Galea told partners that in the wake of the attack and “the reality of the impact on your business,” 3CX is providing resellers with a cashback credit of 15 percent for all sales in 2023. The company has also reduced the partner revenue quotas for the year, Galea said.