Taiwanese hardware manufacturer ASUS on Tuesday announced a software update in response to a nation-state-linked hack and downplayed the scale of the compromise of its supply chain.
“Only a very small number of [a] specific user group were found to have been targeted by this attack and as such it is extremely unlikely that your device has been targeted,” ASUS said in a press release. The statement contrasted with the findings of Kaspersky Lab researchers, who described the breach as perhaps “one of the biggest supply-chain incidents ever.”
The attackers compromised an ASUS server to send malicious updates that affected about 1 million computer users between June and November 2018, according to the researchers, though only 600 appeared to be targeted for attack. ASUS accounted for 6 percent of global PC shipments in the third quarter of 2018, according to Gartner. The company also makes mobile phones, smart home devices, and other electronics.
Researchers dubbed the hacking operation ShadowHammer and said it was the work of an advanced persistent threat (APT), a designation usually reserved for government-sponsored hackers.
Motherboard first reported news of the attack Monday and laid out the scope of the compromises. The hackers used two of ASUS’s digital certificates to sign their malware, the report said, employing a time-tested method for abusing trust in a vendor’s supply chain. Kaspersky researchers notified ASUS of the incident on Jan. 31 and met with an ASUS representative on Feb. 14, but the company was largely unresponsive after that, according to Motherboard.
CyberScoop has sent a detailed list of questions to ASUS on its response to the hack.
In its statement, ASUS said the “Live Update” software fix “introduced multiple security verification mechanisms” to keep updates from being manipulated by hackers. “At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future,” ASUS said.
The company added that its customer service unit has been contacting affected users to help them recover from the incident. Both ASUS and Kaspersky have released tools for checking computers for a ShadowHammer infection.
News of the breach of ASUS’s supply chain reverberated in the security world, with analysts offering their advice on how vendors can shore up their digital footprints.
Everyone needs to be vigilant and aware of supply chain risks. We saw it with CCleaner, we saw it with MeDoc, and now we're seeing it again at Asus. Visibility and segmentation are the way to defend against these threats. https://t.co/Xqn9X9EfFL
— Craig Williams (@security_craig) March 25, 2019
The Department of Homeland Security alerted computer users to the ASUS patch on Tuesday, asking them to verify the update had been installed.