A new hacking group named Barium has made headlines in the past three years with its unique strategy to infect computers on a massive scale through a particularly insidious form of hacking called a "software supply chain attack." By hiding malicious codes within trusted apps and software updates, supply chain hackers smuggle malware threats into millions of computers with one single strike, and without the users noticing any signs of the unauthorized cyber activity running on their machines. At the beginning of 2019, researchers determined that a single group of, most likely Chinese-speaking, hackers have conducted these attacks, following a very similar pattern and exploiting the product distribution channels of at least six different software development companies. Other names Barium members are known under include Wicked Panda, ShadowHammer, and ShadowPad.
Barium's strategy is highly disturbing for cyber-security researchers not only because it allows the attackers to infect computers on a large scale, but also because it hurts the most basic mechanisms for verifying the integrity of a computer system, like legitimate software updates and digitally-signed software products. This is much different than regular exploitation of vulnerabilities or phishing types of attacks.
Barium's supply chain attacks were firstly spotted in 2017 when a cybersecurity company identified a backdoored version of the popular Korean remote management tool NetSarang. Puzzling enough, the malicious version of the product bore the company's digital signature. As eventually confirmed by NetSarang, the attackers had breached the company's network and injected their malicious code into the app before the product was cryptographically signed. Then, another two cases of supply chain attacks against hundreds of thousands of computers followed. A couple of months later, a corrupted version of the cleanup tool for Windows and macOS CCleaner appeared on the market. In January 2019, the computer manufacturer Asus pushed a hijacked software update to its machines for at least five months, and though the code was different this time, it shared some unique characteristics with the CCleaner attack. Later, similar codes to the Asus attacks were also identified in backdoored versions of video games distributed by at least three different companies.
Barium hackers attacks lead to massive system damages
The damage potential of these attacks could have been devastating had Barium deployed a ransomware threat. Yet, for now, the group seems focused on spying rather than destruction. Another interesting fact is that the Chinese hacking group does not seem to be interested in making profits and spies only a tiny fraction of the compromised computers. In the Asus case, the attackers filtered only around 600 computers out from a total of 600,000 infected machines by checking their MAC addresses. In the CCleaner incident, a piece of "second-stage" spyware was dropped on 40 out of 700,000 infected computers, while the researchers were barely able to discover evidence of a "third-stage" spyware sample that acted like a password stealer and keylogger.
It is still not clear how Barium manages to breach all the companies whose software it hijacks, yet it can be suspected that one supply chain attack enables another. Very little is known about the identity of the hackers behind the Barium group as well. Evidence suggests they speak Chinese and live in mainland China. Some clues in Barium's code relate it to a previous Chinese state-sponsored spying group known as APT17 or Axiom, while there are also similarities to an older group named Winnti. Barium's origins seem irrelevant, though, regarding what the group might do in the future. Its next attack will undoubtedly be an even greater challenge for researchers as Barium's hacking methods evolve and grow in sophistication.