A mysterious hacker gang is on a supply-chain hacking spree

A software supply-chain attack represents one of the most insidious forms of hacking. By breaking into a developer’s network and hiding malicious code within apps and software updates that users trust, supply-chain hijackers can smuggle their malware onto hundreds of thousands—or millions—of computers in a single operation, without the slightest sign of foul play. Now what appears to be a single group of hackers has managed that trick repeatedly, going on a devastating supply-chain hacking spree—and the hackers have become more advanced and stealthy as they go.

Over the past three years, supply-chain attacks that exploited the software distribution channels of at least six different companies have now all been tied to a single group of likely Chinese-speaking hackers. The group is known as Barium, or sometimes ShadowHammer, ShadowPad, or Wicked Panda, depending on which security firm you ask. More than perhaps any other known hacker team, Barium appears to use supply-chain attacks as its core tool. Its attacks all follow a similar pattern: seed out infections to a massive collection of victims, then sort through them to find espionage targets.

The technique disturbs security researchers not only because it demonstrates Barium’s ability to disrupt computers on a vast scale but also because it exploits vulnerabilities in the most basic trust model governing the code users run on their machines.

“They’re poisoning trusted mechanisms,” says Vitaly Kamluk, the director of the Asia research team for security firm Kaspersky. When it comes to software supply chain attacks, “they’re the champions of this. With the number of companies they’ve breached, I don’t think any other groups are comparable to these guys.”

In at least two cases—one in which it hijacked software updates from computer maker Asus and another in which it tainted a version of the PC cleanup tool CCleaner—software corrupted by the group has ended up on hundreds of thousands of unwitting users’ computers. In those cases and others, the hackers could easily have unleashed unprecedented mayhem, says Silas Cutler, a researcher at Alphabet-owned security startup Chronicle who has tracked the Barium hackers. He compares the potential of those cases to the software supply-chain attack that was used to launch the NotPetya cyberattack in 2017; in that case, a Russian hacker group hijacked updates for a piece of Ukrainian accounting software to seed out a destructive worm and caused a record-breaking $10 billion in damage to companies around the world.

“If [Barium] had deployed a ransomware worm like that through one of these attacks, it would be a far more devastating attack than NotPetya,” Cutler says.

So far, the group seems focused on spying rather than destruction. But its repeated supply-chain hijackings have a subtler deleterious influence, says Kaspersky’s Kamluk. “When they abuse this mechanism, they’re undermining trust in the core, foundational mechanisms for verifying the integrity of your system,” he says. “This is much more important and has a bigger impact than regular exploitation of security vulnerabilities or phishing or other types of attacks. People are going to stop trusting legitimate software updates and software vendors.”

Tracking clues upstream

Kaspersky first spotted the Barium hackers’ supply-chain attacks in action in July 2017, when Kamluk says a partner organization asked its researchers to help get to the bottom of strange activity on its network. Some sort of malware that didn’t trigger antivirus alerts was beaconing out to a remote server and hiding its communications in the Domain Name System protocol. When Kaspersky investigated, it found that the source of that communications was a backdoored version of NetSarang, a popular enterprise remote management tool distributed by a Korean firm.

More puzzling was that the malicious version of NetSarang’s product bore the company’s digital signature, its virtually unforgeable stamp of approval. Kaspersky eventually determined (and NetSarang confirmed) that the attackers had breached NetSarang’s network and planted their malicious code in its product before the application was cryptographically signed, like slipping cyanide into a jar of pills before the tamper-proof seal is applied.

Two months later, antivirus firm Avast revealed that its subsidiary Piriform had similarly been breached and that Piriform’s computer cleanup tool CCleaner had been backdoored in another, far more mass-scale supply-chain attack that compromised 700,000 machines. Despite layers of obfuscation, Kaspersky found that the code of that backdoor closely matched the one used in the NetSarang case.

Then in January 2019, Kaspersky found that Taiwanese computer maker Asus had pushed out a similarly backdoored software update to 600,000 of its machines going back at least five months. Though the code looked different in this case, it used a unique hashing function that it shared with the CCleaner attack, and the malicious code had been injected into a similar place in the software’s runtime functions. “There are infinite ways to compromise binary, but they stick with this one method,” says Kamluk.

Et tu, video games?

When Kaspersky scanned its customers’ machines for code similar to the Asus attack, it found the code matched with backdoored versions of video games distributed by three different companies, which had already been detected by security firm ESET: a knockoff zombie game ironically named Infestation, a Korean-made shooter called Point Blank, and a third Kaspersky and ESET decline to name. All signs point to the four distinct rounds of supply-chain attacks being tied to the same hackers.

“In terms of scale, this is now the group that is most proficient in supply-chain attacks,” says Marc-Etienne Léveillé, a security researcher with ESET. “We’ve never seen anything like this before. It’s scary, because they have control over a very large number of machines.”

“Operational restraint”

Yet by all appearances, the group is casting its vast net to spy on only a tiny fraction of the computers it compromises. In the Asus case, it filtered machines by checking their MAC addresses, seeking to target only around 600 computers out of 600,000 it compromised. In the earlier CCleaner incident, it installed a piece of “second-stage” spyware on only about 40 computers among 700,000 it had infected. Barium ultimately targets so few computers that, in most of its operations, researchers never even got their hands on the final malware payload. Only in the CCleaner case did Avast discover evidence of a third-stage spyware sample that acted as a keylogger and password-stealer. That indicates that the group is bent on spying, and its tight targeting suggests it’s not a profit-focused cybercriminal operation.

“It’s unbelievable that they’ve left all these victims on the table and only targeted a small subset,” says Chronicle’s Cutler. “The operational restraint they must carry with them has to be the highest quality.”

It’s not clear exactly how the Barium hackers are breaching all the companies whose software they hijack. But Kaspersky’s Kamluk guesses that, in some cases, one supply-chain attack enables another. The CCleaner attack, for instance, targeted Asus, which may have given Barium the access it needed to later hijack the company’s updates. That suggests the hackers may be refreshing their vast collection of compromised machines with interlinked supply-chain hijackings, while simultaneously combing that collection for specific espionage targets.

Simplified Chinese, complicated tricks

Even as they distinguish themselves as one of the most prolific and aggressive hacker groups active today, Barium’s exact identity remains a mystery. But researchers note that its hackers seem to speak Chinese, likely live in mainland China, and that the majority of their targets seem to be organizations in Asian countries like Korea, Taiwan, and Japan. Kaspersky has found Simplified Chinese artifacts in its code, and in one case the group used Google Docs as a command-and-control mechanism, letting slip a clue: the document used a resume template as a placeholder—perhaps in a bid to appear legitimate and prevent Google from deleting it—and that form was written in Chinese with a default phone number that included a country code of +86, indicating mainland China. In its most recent video game supply-chain attacks, the hackers’ backdoor was designed to activate and reach out to a command-and-control server only if the victim computer wasn’t configured to use Simplified Chinese language settings—or, more strangely, Russian.

More tellingly, clues in Barium’s code also connect it to previously known, likely Chinese hacker groups. It shares some code fingerprints with the Chinese state-sponsored spying group known as Axiom or APT17, which carried out widespread cyberespionage across government and private-sector targets going back at least a decade. But it also seems to share tooling with an older group that Kaspersky calls Winnti, which similarly showed a pattern of stealing digital certificates from video game companies. Confusingly, the Winnti group was long considered a freelance or criminal hacker group, which seemed to be selling its stolen digital certificates to other China-based hackers, according to one analysis by security firm Crowdstrike. “They may have been freelancers who joined a larger group that’s now focused on espionage,” says Michal Salat, the head of threat intelligence at Avast.