Operation ShadowHammer Supply Chain Incident

The ShadowHammer cyber supply chain incident, also known as "Operation ShadowHammer", was a sophisticated attack campaign that was first publicly reported in March 2019. Kaspersky lab identified the campaign, suggesting that the activity started in June 2018. The attack involved an advanced persistent threat group compromising ASUS and using their 'Live Update Utility' to in turn compromise their customers.

The attackers tampered with executable files downloaded from the official domain of the Taiwan based computer manufacturer, using a legitimate digital signature to make the executables appear valid, and verifiable.

The goal of the attack appears to have been to surgically target an unknown pool of users, identified by their network adapters' MAC addresses. To achieve this, the attackers hardcoded a list of MAC addresses into the trojanized samples. This list was used to identify the actual intended targets of this massive operation. More than 600 unique MAC addresses were extracted from over 200 samples used in the attack.

The attack was discovered in January 2019 by Kaspersky Lab researchers. The researchers named the incident "Operation ShadowHammer".

In earlier variants of ASUS Live Updater, the attackers replaced the WinMain function in the binary with their own. This function copied a backdoor executable from the resource section using a hardcoded size and offset to the resource. Once copied to the heap memory, another hardcoded offset, specific to the executable, was used to start the backdoor.

The researchers suggest that the incident stayed undetected for a significant period partly due to the fact that the trojanized software was signed with legitimate certificates (e.g. “ASUSTeK Computer Inc.”) and also by surgically targeting ultimate victims by using the limited pool of MAC addresses. Kaspersky Lab experts estimate that the attack may have affected more than a million users worldwide.

Kaspersky link the attack to attackers using ShadowPad malware, who they identify as BARIUM (as designated by Microsoft). Researchers at FireEye Intelligence (subsequently Mandiant) have linked the follow on activity associated with the attack to APT41.

securelist.com

https://securelist.com/operation-shadowhammer/89992/

www.kaspersky.com

https://www.kaspersky.com/about/press-releases/2019_operation-shadowhammer-new-supply-chain-attack

blog.f-secure.com

https://blog.f-secure.com/analysis-shadowhammer-asus-attack-first-stage-payload/

www.vice.com

https://www.vice.com/en/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers

services.google.com

https://services.google.com/fh/files/misc/apt41-a-dual-espionage-and-cyber-crime-operation.pdf

www.wired.com

https://www.wired.com/story/barium-supply-chain-hackers/

www.securityweek.com

https://www.securityweek.com/kaspersky-links-shadowhammer-supply-chain-attack-shadowpad-hackers/