A software supply chain attack represents one of the most insidious forms of hacking. By breaking into a developer's network and hiding malicious code within apps and software updates that users trust, supply chain hijackers can smuggle their malware onto hundreds of thousands—or millions—of computers in a single operation, without the slightest sign of foul play. Now what appears to be a single group of hackers has managed that trick repeatedly, going on a devastating supply chain hacking spree—and becoming more advanced and stealthy as they go.

Over the past three years, supply chain attacks that exploited the software distribution channels of at least six different companies have now all been tied to a single group of likely Chinese-speaking hackers. They're known as Barium, or sometimes ShadowHammer, ShadowPad, or Wicked Panda, depending on which security firm you ask. More than perhaps any other known hacker team, Barium appears to use supply chain attacks as their core tool. Their attacks all follow a similar pattern: Seed out infections to a massive collection of victims, then sort through them to find espionage targets.

The technique disturbs security researchers not only because it demonstrates Barium's ability to disrupt computers on a vast scale but also because it exploits vulnerabilities in the most basic trust model governing the code users run on their machines.

"They're poisoning trusted mechanisms," says Vitaly Kamluk, the director of the Asia research team for security firm Kaspersky. When it comes to software supply chain attacks, "they’re the champions of this. With the number of companies they’ve breached, I don’t think any other groups are comparable to these guys."

In at least two cases—one in which it hijacked software updates from computer maker Asus and another in which it tainted a version of the PC cleanup tool CCleaner—software corrupted by the group has ended up on hundreds of thousands of unwitting users' computers. In those cases and others, the hackers could easily have unleashed unprecedented mayhem, says Silas Cutler, a researcher at Alphabet-owned security startup Chronicle who has tracked the Barium hackers. He compares the potential of those cases to the software supply chain attack that was used to launch the NotPetya cyberattack in 2017; in that case, a Russian hacker group hijacked updates for a piece of Ukrainian accounting software to seed out a destructive worm and caused a record-breaking $10 billion in damage to companies around the world.

"If [Barium] had deployed a ransomware worm like that through one of these attacks, it would be a far more devastating attack than NotPetya," Cutler says.

So far, the group seems focused on spying rather than destruction. But its repeated supply chain hijackings have a subtler deleterious influence, says Kaspersky's Kamluk. "When they abuse this mechanism, they’re undermining trust in the core, foundational mechanisms for verifying the integrity of your system," he says. "This is much more important and has a bigger impact than regular exploitation of security vulnerabilities or phishing or other types of attacks. People are going to stop trusting legitimate software updates and software vendors."

Tracking Clues Upstream

Kaspersky first spotted the Barium hackers' supply chain attacks in action in July of 2017, when Kamluk says a partner organization asked its researchers to help get to the bottom of strange activity on its network. Some sort of malware that didn’t trigger antivirus alerts was beaconing out to a remote server and hiding its communications in the Domain Name System protocol. When Kaspersky investigated, it found that the source of that communications was a backdoored version of NetSarang, a popular enterprise remote management tool distributed by a Korean firm.

More puzzling was that the malicious version of NetSarang's product bore the company's digital signature, its virtually unforgeable stamp of approval. Kaspersky eventually determined, and NetSarang confirmed, that the attackers had breached NetSarang's network and planted their malicious code in its product before the application was cryptographically signed, like slipping cyanide into a jar of pills before the tamper-proof seal is applied.

"We’ve never seen anything like this before." Marc-Etienne Léveillé, ESET

Two months later, antivirus firm Avast revealed that its subsidiary Piriform had similarly been breached, and that Piriform's computer cleanup tool CCleaner had been backdoored in another, far more mass-scale supply chain attack that compromised 700,000 machines. Despite layers of obfuscation, Kaspersky found that the code of that backdoor closely matched the one used in the NetSarang case.