Hackers linked to China are suspected of planting malicious “back door” codes in the UK and U.S. to spy on big business, banks, energy suppliers, and the defence sector.
The software was hidden in updates from NetSarang, a provider of server-management software with offices in the U.S. and South Korea.
The research company Kaspersky Lab, who identified the threat, said in a statement: “Had the threat not been detected and patched so quickly, it could have potentially targeted hundreds of organizations worldwide.”
Their researchers found “some similarities” in the “tools, techniques and procedures” used by the attackers with the Winnti APT group, a known Chinese-speaking cyber spying group.
“This is not enough to establish a precise connection, however,” Kaspersky Lab added.
NetSarang says its customers include the U.S. defence company Lockheed Martin; National Grid, operator of Britain’s high-voltage electricity network; the Russian energy giant Gazprom; and Société Générale, the French bank.
This April, security sources warned that Britain was under attack from Chinese state-sponsored hackers conducting a global cyber-spying campaign on an unprecedented scale.
— Kaspersky Lab (@kaspersky) August 15, 2017
Kaspersky Lab has now released a software update to fix the problem, which they said will “most likely [prevent] hundreds of data-stealing attacks against [NetSarang’s] clients”.
The malicious software, dubbed ShadowPad, is one of the largest known “supply-chain” attacks seen.
A similar form of attack shut down computers around the globe this June and caused billions of dollars of damage. It spread from an infected update to accounting software thought to originate in Ukraine.
Professor Alan Woodward, of the University of Surrey, told The Times: “This is a particularly worrying attack. As far as clients were concerned this appeared to be perfectly legitimate software via an update.
“It was even digitally signed, which suggests the vendor had been penetrated thoroughly enough, maybe even an inside job, to make this look completely legitimate to customers.”
In a statement, NetSarang said: “Regretfully, the build release of our full line of products on July 18 was unknowingly shipped with a back door, which had the potential to be exploited by its creator.
“The security of our customers and user base is our highest priority and ultimately, our responsibility.
“The fact that malicious groups and entities are utilising legitimate software for illicit gain is an ever-growing concern and one NetSarang is taking very seriously.”