Mysterious Barium Hacker Group Disrupts Computers in Aggressive Supply Chain Hacking Activities

For as long as the personal computer has been in existence hackers have sought methods to cause disruptions that ultimately benefit them either monetarily or to gain notoriety. As it turns out, a Chinese-speaking hacker group that goes by a myriad of names, such as Barium, Wicked Panda, ShadowPad, or ShadowHammer, is tied to supply chain attacks that have exploited the channels of six companies over the course of three years. In the repeated malicious activity conducted by the Barium hacker group, they have managed to sneak their malware onto hundreds of thousands to millions of computers in a single operation.

From what we have learned with hacker group attacks, as well as what other security firms have witnessed, is that the task of attacking systems usually comes in waves and commonly takes many attempts. Conversely, the barrage of attacks from the Barium hacker group was conducted in one huge swoop where multiple companies were breached within a software supply chain.

What has taken place in the hacker group attack on a software supply chain is leveraging known software where the software updates were hijacked. The TTPs (tactics, techniques, and procedures) utilized used the Winnti backdoor threat as an initial attack, which is one that has been associated with Chinese-speaking threat actors in the past.

What does the Hacker Group want?

The focus of data pilfered in the attack looks to be limited to network credentials spread inside the singular companies attacked. The code of signed certificates also appears to be among the data that the hackers went after all without being detected. The actions of the hacker group are known to be among the stealthiest many security experts have seen, and their actions are among the most aggressive in terms of hacker groups' orchestrated attacks.

An attack on Asus computers in the past where software updates on the computer maker's systems where hijacked reveal a lot about the activities of the hacker group and how they have evolved to evade detection. Moreover, experts wonder why the hackers did not carry out other actions that could have unleashed additional chaos in an environment closely matched to that of the one used to launch the NotPetya cyberattack back in 2017. Such an attack was one that compares to when updates to Ukrainian accounting software was hijacked to send out a worm resulting in $10 billion in damages, much like how the hacker group hijacked CCleaner and Asus PC software.

Currently, the attacks by Barium appear to be motivated for the purpose of spying instead of causing damages. However, the potential for the supply chain hack to turn into something greater than its initial cause is a looming factor that security experts should keep in the back of their mind. After all, in knowing how the recent hacker group has managed to become so powerful and are able to initiate an attack to be so efficient, they could one day change their methods ever-so-slightly and launch a much more devastating blow by the use of something like a ransomware worm or launch a botnet and gain control over a large number of computers.