Today's news that hackers put backdoors into thousands of Asus computers using the company's own software update platform is a reminder of why supply-chain compromises are one of the scariest digital attacks out there.

Attackers compromised Asus’s Live Update tool to distribute malware to almost 1 million customers last year, according to initial findings researchers at the threat intelligence firm Kaspersky Lab disclosed Monday. The news was first reported by Motherboard. Asus machines accepted the tainted software because the attackers were able to sign it with a real Asus certificate (used to verify the legitimacy and trustworthiness of new code). Though the scope of the attack is broad, the hackers seem to have been seeking out a select 600 computers to target more deeply in a second-stage attack.

The Hack

Kaspersky calls the attack ShadowHammer, indicating a possible link to ShadowPad malware used in some other major software supply-chain attacks. The hackers took a real Asus update from 2015 and subtly modified it before pushing it out to Asus customers sometime in the second half of 2018. Kaspersky discovered the attack on Asus in January and disclosed it to the company on January 31. Kaspersky says its researchers met with Asus a few times and the company seems to be in the process of investigating the incident, cleaning up its systems, and establishing new defenses.

Asus did not begin notifying its customers about the situation until Kaspersky went public with the findings. "A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group. ASUS customer service has been reaching out to affected users and providing assistance to ensure that the security risks are removed," the company wrote in a statement on Tuesday. "ASUS has also implemented a fix in the latest version (ver. 3.6.8) of the Live Update software, introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future."

Software supply-chain attacks are insidious, because once hackers establish the ability to create platform updates that appear to be legitimate, they can capitalize on the product's distribution base to spread their malware quickly and widely. In the case of the Asus incident, attackers were targeting more than 600 machines in particular. They took advantage of Asus' reach to do a big sweep for as many of them as possible.

"Like any other supply-chain attack, this is very opportunistic," says Costin Raiu, director of Kaspersky's global research and analysis team. "You cast a wide net to try to catch everything and then handpick what you're looking for."

Every digital device has a unique identifier called a MAC address, and the Asus malware was programmed to check the addresses of the devices it infected. For the hundreds of thousands of Asus customers whose devices weren’t on the hackers' hit list, the malware would have no effect; it wasn’t programmed to be able to do anything else. If it was running on a targeted machine, however, it was programmed to phone home to a malicious server and download the second-stage payload to carry out a deeper attack.

For now, Kaspersky says it doesn't have a full picture of what the attackers were doing on the specially targeted machines.

Who’s Affected

Kaspersky estimates that the malware was distributed to about 1 million machines in total. Most Asus users won’t experience any long-term effects of the attack, but it remains to be seen what exactly the impacts were for people who own any of the 600 targeted machines.