Chinese Hackers Infect Asus, Software Makers

A state-sponsored Chinese hacking group infected computer maker Asus' update servers in 2018 and malicious firmware updates were pushed out to at least 70,000 Asus computer users worldwide, the Russian antivirus firm Kaspersky Lab disclosed in a blog post today (March 25) after a story in Vice Motherboard got the scoop on Kaspersky's findings.

Credit: Lukmanazis/Shutterstock

(Image credit: Lukmanazis/Shutterstock)

Three software makers based in Asia appear to also have had their update servers infected in a similar manner, a Kaspersky spokesperson told Tom's Guide. Asus told Tom's Guide that the company would have a statement addressing this issue "tomorrow afternoon."

While tens of thousands, possibly millions, of Asus computers were infected by what Kaspersky called "Operation ShadowHammer," the infection is dormant on almost all of them. The malware was active only on 600 or so Asus machines whose MAC addresses -- the unique identification numbers for network interfaces -- were hard-coded into the malware.

"If you are not a target, the malware is virtually silent," Kaspersky researcher Costin Raiu told Vice Motherboard.

The number of infected computers is based on 57,000 machines that Kaspersky could "see" -- i.e., those with Kaspersky antivirus software already installed. Symantec, which makes Norton Security among other antivirus products, told Vice Motherboard that 13,000 machines running Symantec software were also infected.

"We are not able to calculate the total count of affected users based only on our data," the Kaspersky blog post said. "However, we estimate that the real scale of the problem is much bigger and is possibly affecting over a million users worldwide."

MORE: Best Antivirus Software

How to check if you're affected

Kaspersky has posted a software tool that you can download and run to check whether your Asus machine has been infected by the malicious firmware update. The tool will run on any Windows machine, Raiu told Tom's Guide.

Kaspersky also has an online tool with which you can check to see if one of your machine's MAC addresses (the Ethernet, Wi-Fi and Bluetooth connections will each have their own) was among the 600-odd MAC addresses on the malware's hit list.

Who else has compromised software?

A Kaspersky representative told Vice Motherboard that while Asus was aware of the issue, the Taiwanese computer maker had not notified its customers. A Kaspersky press release sent to Tom's Guide indicated that software from three other companies based in Asia was "backdoored with very similar methods and techniques," although Kaspersky did not name those companies.

A Kaspersky spokeswoman seemed to initially confirm to Tom's Guide that those three companies were also computer makers, but further clarification revealed that those were in fact software makers. Those companies have been notified of the issue.

"The selected vendors are extremely attractive targets for APT groups that might want to take advantage of their vast customer base," Kaspersky researcher Vitaly Kamluk said in the press release.

"The other vendors targeted in this attack are software vendors, not hardware," Raiu told Tom's Guide through a spokesperson. "According to our knowledge, Asus is the only hardware vendor affected by this attack."

We're not saying it's China, but ... it's China

Kaspersky had been saving its findings for its own Security Analyst Summit in Singapore next month, but freelance journalist Kim Zetter, writing for Motherboard, got word of the story and contacted Kaspersky for confirmation and comment. Her report went up about the same time as Kaspersky's blog posting. Kaspersky plans to reveal more information about the three other vendors affected at its summit.

The highly targeted nature of the attack indicates that this is an information-gathering operation run by a national intelligence service. The infected machines that Kaspersky could "see" were primarily in Russia, Germany, France, Italy and the United States, which the Kaspersky report said reflected " the distribution of Kaspersky users around the world."

However, Kaspersky didn't see many infected users in China, and it said the attack looked a lot like the work of a nation-state hacking group code-named BARIUM by Kaspersky, Microsoft and other threat researchers.

Kaspersky has a policy of never guessing which governments sponsor which hacking groups (even when it's pretty obvious), but other threat researchers have pinned BARIUM on Chinese intelligence agencies, and even Kaspersky itself lists BARIUM as one of several "Chinese-speaking actors."

How the ShadowHammer attack works

Operation ShadowHammer began infecting Asus machines through the Asus Live Update utility in June 2018 and continued doing so into November, Kaspersky said. Kaspersky's own researchers discovered the malware on Jan. 29, 2019, and notified Asus two days later.

If the infected machine has a MAC address on the malware's target list, then the malware activates a "backdoor" through which other malware can be downloaded and installed and reaches out to a command-and-control server to grab more software. MAC addresses for individual machines are not publicly listed, so the attackers must have obtained the targeted machines' MAC addresses by other means.

"They were not trying to target as many users as possible," Kamluk told Motherboard. "They wanted to get into very specific targets and they already knew in advance their network card MAC address, which is quite interesting."

Raiu told Tom's Guide that Kaspersky researchers did not know why the operation stopped infecting machines in November, and the Kaspersky blog post said it was not clear who exactly is being targeted.

Kaspersky told Motherboard that at least one machine running Kaspersky software was on the hit list, but Kaspersky researchers have not been able to figure out to whom the machine belongs. Kaspersky does not have a sample of the "second-state" malware that the backdoor malware installs.

Asus in denial?

Kamluk told Motherboard that Asus denied that its servers had been compromised when Kaspersky notified the Taiwanese computer maker of the infection. Symantec researcher Liam O'Murchu confirmed to Motherboard that the corrupted firmware updates came from the Asus servers.

"We saw the updates come down from the Live Update Asus server," O'Murchu said. "They were trojanized, or malicious updates, and they were signed by Asus."

Like many other computer makers, Asus periodically pushes out firmware and software updates that are separate from Microsoft's monthly Windows updates. These updates are cryptographically "signed" with a digital certificate that verifies the software comes from Asus.

The attackers in this case signed the malicious firmware updates with two different Asus certificates, swapping one for the other after the first one expired. All Asus machines would have accepted the updates as genuine, and antivirus software would not have been triggered.

Although Asus has stopped using both certificates to sign its own software, Kamluk told Motherboard, neither has been invalidated and at least one can still be used to installed malware on Asus machines.

Hit 'em in the supply chain

Such "supply chain" attacks, in which malicious actors sneak malware into hardware or software already on its way to targets, have happened before. Perhaps the most well-known, as Zetter noted for Motherboard, was the "Flame" attack of 2012 that hit specifically targeted machines with corrupted Windows Update software that spied on the machines.

But Flame, thought to be developed by the NSA in tandem with Israeli intelligence, didn't come straight from Microsoft's own servers, but rather from a fake Microsoft server that the attackers had set up. ShadowHammer, by contrast, was placed on Asus's own servers and pushed out to Asus computer users in the usual manner.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.