Suspected North Korean hackers have compromised a software package that has been used by thousands of U.S. companies in a major supply chain attack that could take months to recover, security experts said Tuesday.
Experts working on the hack told CNN they expected a long-running campaign to steal cryptocurrency to fund the North Korean regime, which often uses the stolen funds for its nuclear and missile programs.
Over the course of three hours on Tuesday morning, hackers with ties to Pyongyang gained access to the account of a software developer who manages the open source software Axios. The hackers used that access to send malicious updates to any organization that downloaded the software during this period, setting off software developers fighting for control of their accounts and causing cybersecurity executives across the country to assess the damage.
From healthcare to finance, companies in nearly every sector of the economy use Axios to simplify building and managing websites. Some cryptocurrency companies use the software, as do technology companies active in the crypto industry.
Mandiant, a cyber intelligence company owned by Google, said a suspected North Korean hacker group was responsible.
“We anticipate they will attempt to leverage the credentials and system access recently gained in this software supply chain attack to target and steal enterprises’ cryptocurrency,” Mandiant Chief Technology Officer Charles Carmakal told CNN. “It will likely take several months to assess the downstream impact of this activity.
John Hammond, a security researcher at Huntress, said his company has identified about 135 infected devices belonging to about a dozen companies. But this is only a small part of the victim pool, which is expected to surge as organizations find themselves hacked.
This is just the latest large-scale supply chain attack by Pyongyang. Three years ago, North Korean agents allegedly infiltrated another popular provider of software used by health care companies and hotel chains for voice and video calls.
North Korea’s powerful army of hackers is a vital source of revenue for the nuclear-armed, sanctions-plagued country. North Korean hackers have stolen billions of dollars from banks and cryptocurrency companies over the past few years, according to reports from the United Nations and private companies.
A White House official said in 2023 that about half of North Korea’s missile program was funded by such digital theft.
Last year, North Korean hackers stole $1.5 billion in cryptocurrency in an attack that was the largest cryptocurrency hack on record at the time.
“North Korea is not worried about their reputation or eventual identification, so while these types of operations are very noisy and high-profile, it’s a price they’re willing to pay,” said Ben Read, director of strategic threat intelligence at Wiz, a Google-owned security company.
Hammond described the hack as “well-timed” because the organization employed artificial intelligence agents to develop the software “without any scrutiny or safeguards.”
“The biggest weakness in the entire software supply chain that has opened up in this day and age is that too many people no longer read what’s in the ingredients,” Hammond told CNN.
For more CNN news and newsletters, create an account at CNN.com