2 min

The attack by a North Korean hacker group that led to the 3CX breach has had ripple effects in the European energy infrastructure.

This week Symantec’s Threat Hunter Team found that a hacker gang’s attack on the global software supply chain led to more than just a breach at 3CX. Symantec determined that two critical infrastructure organizations in the energy sector were also hit. One of them was in the US and the other in Europe. Two financial trading organizations were also breached, Symantec notes.

3CX, the international VoIP IPBX software developer, was hacked earlier this month. It caused the company to issue a forced upgrade of the PWA client for security reasons.

Malicious installer

A North Korean-backed threat group linked to the Trading Technologies made use of a trojanized installer for X_Trader software. They deployed the VEILEDSIGNAL multi-stage modular backdoor onto victims’ systems.

Once installed, the legitimate X_Trader executable side-loads the two malicious DLLs dropped by the installer. The malware can then execute malicious shellcode or inject a communication module into Chrome, Firefox, or Edge processes running on compromised systems, according to Symantec.

EU energy grid at risk?

While Symantec didn’t name the two energy sector organizations hit by the hackers, Symantec Threat Hunter Team Director of Security Response Eric Chien told BleepingComputer that they are “power suppliers generating and supplying energy to the grid.”

Mandiant, the cybersecurity service provider, has identified the hackers behind the Trojanized X_Trader software used in the 3CX breach as UNC4736. According to the cyber sleuths, this threat actor “demonstrates varying degrees of overlap with multiple North Korean operators tracked by Mandiant Intelligence, especially with those involved in financially-motivated cybercrime operations”.

The worry is that the 3CX breach was just the beginning. Further attacks could have a severe impact on Europe’s energy grid.

“North Korean-sponsored actors are known to engage in both espionage and financially motivated attacks. It cannot be ruled out that strategically important organizations breached during a financial campaign are targeted for further exploitation”, Symantec said.