The recent cyber attack on ASUS computers may have been perpetrated by the same hacker group that had targeted Microsoft in 2017, an analytical report released by the Maharashtra Cyber department has revealed. The same group was also linked to the Chinese intelligence apparatus in a 2018 study.
The attack, called Operation ShadowHammer, had affected the ASUS live update facility, creating backdoors in ASUS computers through a malware embedded in the live updates. The State Cyber department had issued an advisory to ASUS users and had also made a tool by Kaspersky Labs available to deal with such threats.
The report, which was released on March 27, said although the precise attribution is not available at the moment, Kaspersky Labs has linked the attack to the ShadowPad incident in 2017, which had targeted Microsoft computers through a similar mode. The perpetrators of the ShadowPad attack were identified as an advanced persistent threat (APT) group known as Barium APT.
“It is not yet very clear what the ultimate goal of the attackers was, and we are still researching who were behind the attack. However, techniques used to achieve unauthorised code execution, and other discovered artefacts suggest that ShadowHammer is probably related to Barium APT, which was previously linked to the ShadowPad and CCleaner incidents, among others. This new campaign is yet another example of how sophisticated and dangerous a smart supply chain attack can be nowadays,” Vitaly Kamluk, Director of Global Research and Analysis Team, APAC, at Kaspersky Labs, told The Hindu.
Cyber officials said Barium is known to use Winnti backdoor, a trojan typically used by a Chinese APT of the same name, which creates backdoors in the infected devices so that they can be remotely taken over by miscreants.
In 2017, the same group was alleged to have launched a sustained attack on Microsoft, specifically against its high-value devices located in Virginia, to steal sensitive information.
In a lawsuit filed by Microsoft against “John Does controlling a computer network and thereby injuring plaintiff and its customers”, Microsoft had said that Barium is “highly sophisticated, well-resourced, organised, and patient.”
“Barium specialises in targeting high-value organisations holding sensitive data, by gathering extensive information about their employees through publicly available information and social media, using that information to fashion phishing attacks intended to trick those employees into compromising their computers and networks, compromising legitimate enterprise software provider’s products not protected by anti-virus software, and disguising its activities using the names of Microsoft and other legitimate companies,” the court document, which has been accessed by The Hindu , said.
Following the 2017 incident, a study was undertaken by Protectwise, a U.S.-based company that specialises in security research and threat intelligence. A report by 401TRG (Threat Research Group), Threat Research & Analysis Team at Protectwise, said in its summary: “We assess with high confidence that the Winnti umbrella is associated with the Chinese state intelligence apparatus, with at least some elements located in the Xicheng district of Beijing.”
The Maharashtra Cyber department’s report concluded that a machine infected in such an attack reaches out to “a command-and-control server to grab more software, and thus, such a device can be used to carry out malicious activities of any scale.”