Supply Chain Attack: CyberLink Breached by North Korean Hackers
North Korean hackers infiltrated Taiwanese company CyberLink, a renowned multimedia software producer. The malefactors embedded malicious code into one of CyberLink’s installers distributed through official update channels. This breach led to the infection of over 100 computers globally, including in the USA, Canada, and Japan.
According to Microsoft, the attack was orchestrated by the Lazarus group, also known as ZINC and Labyrinth Chollima. Specializing in cyber espionage, this group is believed to operate in the interest of the government, targeting major international companies for over a decade.
The product CyberLink was compromised with malware named LambLoad. Once the installer is activated, LambLoad scans the system for antiviruses like CrowdStrike, FireEye, and Tanium. If these are not detected, the program connects to one of three command servers and downloads the next stage of the malware.
The second stage disguises itself as a PNG file, which, instead of an image, contains malicious code. LambLoad malware extracts, decrypts, and executes it, thereby bypassing the file system and complicating its detection and removal.
Microsoft notes this technique is characteristic of Lazarus, particularly in their attacks on cryptocurrency services. The group is responsible for the largest cryptocurrency cyber incident in history in 2022 when $2 billion in digital assets were stolen from the Ronin Network blockchain.
As of now, Microsoft’s team has not detected hacker activity on the infected machines. However, Lazarus typically uses its software for cyber espionage, remaining in the system for extended periods post-hack. It is presumed they are exploiting this situation to gather valuable data and prepare for future attacks.
Lazarus is attributed to high-profile cyber attacks like the 2014 Sony Pictures hack and the 2017 dissemination of the WannaCry ransomware, causing hundreds of millions of dollars in damages.
The U.S. government has repeatedly sanctioned Lazarus and two other North Korean hacker groups, Bluenoroff and Andariel, offering up to $5 million for information about their activities.
Regarding the current attack, Microsoft informed CyberLink about the breach of their infrastructure and assisted in rectifying the vulnerability. Users of the Defender antivirus were also alerted to the threat.
The extent of data theft or other damage to CyberLink and its clients remains unclear. However, given the scale of the incident, the ramifications could be significant.
CyberLink has not yet provided comments to the press.