Security company Kaspersky discovered that Asus’ Live Update tool was infected with malware by malicious actors. However, it seemed unlikely that Asus would be the only company to be targeted in such a way. Kaspersky confirmed this (opens in new tab) today by uncovering six other companies that were targets of the same Operation ShadowHammer.
Operation ShadowHammer Infected Multiple Software Tools
One of the companies impacted, Electronics Extreme, makes the survival game Infestation: Survivor Stories. The second, Innovative Extremist, is a web and IT infrastructure services provider that has also worked in game development. The third company, Zepetto, is from South Korea and made the video game Point Blank.
According to Kaspersky’s researchers, the attackers either had access to the source code of thee companies’ software or were able to infect their software during compilation. The hackers could have infiltrated the networks of these companies. The researchers noted that this reminded them of how the CCleaner attack happened. Avast’s CCleaner update servers were infiltrated in a similar way, exposing millions of users to a trojanized CCleaner update.
Kaspersky said that three other South Korean companies were targeted, including another video game company, a conglomerate holding company and a pharmaceutical firm. The cybersecurity firm didn't share their names.
How Operation ShadowHammer Worked
Kaspersky researchers noted that the compromised video games of the first three companies targeted by Operation ShadowHammer were capable of gathering information about usernames, computer specs and configurations and operating system versions.
After being launched on the victims’ systems, the infected games would first check if certain traffic/processor monitoring tools were running and if the language used by the system was Simplified Chinese or Russian. If any of these were true, the malware within the games would stop running. Otherwise, it would collect the aforementioned system information and more.
The compromised software could also be used to download new malicious payloads from the attackers’ command and control servers. The list of potential victims was not limited to a list of MAC addresses, as was the case with the attack against Asus’ Live Update tool.
The attackers were able to infect these companies’ software via valid digital certificates, which were used to compromise their development environments. Kaspersky recommends these companies and others in their position not to rely only on digital signatures for the security of their software but also to analyze the software code properly even after the code is digitally signed.
The Kaspersky researchers also warned that there may be many more companies that were targeted by the same group, but the number is currently not known. However, if Operation ShadowHammer succeeded in infecting popular developer tools, then any company that uses those affected developer tools would also be infected.