Modified X_Trader software led to compromise of two critical infrastructure targets, Symantec says

Two targets in the energy sector are among the victims of a supply chain attack that is linked to North Korea and with a growing list of victims.
A North Korean flag flutters in the propaganda village of Gijungdong as seen from South Korea's Taesungdong freedom village, in the Demilitarized zone dividing the two Koreas in Paju on September 30, 2019. (Photo by JUNG YEON-JE/AFP via Getty Images)

Two critical infrastructure organizations in the energy sector — one in the United States and another in Europe — are among the victims of a supply chain attack relying on modified financial services software that has been implicated in a separate, second supply chain attack affecting the communications provider 3CX, researchers with Symantec’s Threat Hunter Team said Friday.

The unnamed critical infrastructure entities in the energy sector — along with two other unnamed organizations involved in financial trading — are the first additional victims to be identified of the modified 2020 X_Trader software installer used by what are believed to be hackers aligned with North Korea.

The hackers, whose primary goal appears to be financial gain, carried out what Mandiant described Thursday as perhaps the first software supply chain attack that led to a second software supply chain attack, when they first compromised the X_Trader installer and then used that access to carry out a supply chain attack that compromised a version of 3CX’s desktop app.

The energy sector entities were targeted by the malicious X_Trader installer some time between September and October of 2022.


Even though the attackers appear to be financially motivated, “the compromise of critical infrastructure targets is a source of concern,” the Symantec researchers said. “North Korean-sponsored actors are known to engage in both espionage and financially motivated attacks and it cannot be ruled out that strategically important organizations breached during a financial campaign are targeted for further exploitation.”

The X_Trader software was produced by Chicago-based Trading Technologies as a professional trading tool but decommissioned in April 2020. The software was still available for download from the company’s site in early 2022 and was compromised in February 2022, Mandiant said in their Thursday report.

3CX, an online communications and VoIP software developer, hired Mandiant to investigate the attack on its software installers after modified versions emerged in late March. Mandiant’s report found that a 3CX employee had downloaded one of the modified versions of the X_Trader installers. Data associated with the malware suggests it was the work of North Korean-aligned hackers with a history of targeting cryptocurrency entities and exchanges in order to steal money for the North Korean regime.

Officials at Mandiant who responded to the breach feared that it was only a matter of time before additional victims of the North Korean operation. With Symantec’s Friday report, the total number of identified victims comes to six, but that number is likely to rise.

“The discovery that 3CX was breached by another, earlier supply chain attack made it highly likely that further organizations would be impacted by this campaign, which now transpires to be far more wide-ranging than originally believed,” Symantec’s researchers wrote Friday. “The attackers behind these breaches clearly have a successful template for software supply chain attacks and further, similar attacks cannot be ruled out.”

AJ Vicens

Written by AJ Vicens

AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal/WhatsApp: (810-206-9411).

Latest Podcasts