Anatomy of a Breach

Anatomy of a Breach: 3CX — A Supply Chain Attack Born from Another Supply Chain Attack

> series: anatomy_of_a_breach —— part: 171 —— target: 3cx —— attacker: lazarus_group —— method: supply_chain_from_supply_chain<span class="cursor-blink">_</span>_

Hedgehog Security 31 March 2023 13 min read
3cx supply-chain lazarus-group north-korea voip double-supply-chain series
Breach #171

A supply chain attack. Caused by another supply chain attack. Supply chains all the way down.

In late March 2023, security firms detected that the 3CX desktop application — a VoIP platform used by over 600,000 organisations globally including American Express, McDonald's, and the NHS — was distributing malware through its legitimate update channel. The compromised build had been signed with 3CX's valid digital certificate, making it appear completely legitimate. The attack was attributed to North Korea's Lazarus Group.

The investigation revealed something unprecedented: the 3CX compromise had itself originated from an earlier supply chain attack. A 3CX employee had installed a trojanised version of X_Trader — a financial trading application from Trading Technologies — which had been compromised in a separate supply chain attack. The malware from the compromised trading software gave the attackers access to 3CX's build environment, which they used to poison 3CX's desktop application updates. It was the first documented case of a supply chain attack directly causing another supply chain attack — a cascading chain of compromises that demonstrated the exponential risk of software supply chain vulnerabilities.

Supply Chain Inception
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

When your vendor's vendor's software is the attack vector.

Supply Chain → Supply Chain
The 3CX attack was born from the Trading Technologies compromise — a cascading supply chain attack. The implication: securing your own supply chain is insufficient if your vendors' supply chains are compromised. The depth of supply chain risk is effectively unlimited. <a href="/cyber-essentials">Cyber Essentials</a> addresses supply chain security, but the 3CX case demonstrated that supply chain risk extends beyond direct vendors.
Legitimately Signed Malware
The compromised 3CX update was signed with 3CX's valid digital certificate — making it indistinguishable from a legitimate update to traditional security tools. This is the same technique used in <a href="/blog/anatomy-of-a-breach-2020-year-review">SolarWinds/Sunburst</a> (2020). <a href="https://www.socinabox.co.uk">SOC in a Box</a> employs behavioural monitoring that detects malicious activity regardless of the legitimacy of the delivery mechanism.
Lazarus Group — Supply Chain Specialists
The Lazarus Group has now conducted supply chain attacks (<a href="/blog/anatomy-of-a-breach-ronin-axie">Ronin/Axie</a> 2022, 3CX 2023), bank heists (<a href="/blog/anatomy-of-a-breach-bangladesh-bank-swift">Bangladesh Bank</a> 2016), destructive attacks (<a href="/blog/anatomy-of-a-breach-sony-pictures">Sony Pictures</a> 2014), and ransomware (<a href="/blog/anatomy-of-a-breach-wannacry">WannaCry</a> 2017) — demonstrating the broadest operational capability of any state-sponsored group. <a href="https://www.cyber-defence.io/services/threat-intelligence">UK Cyber Defence</a> tracks Lazarus Group operations.
VoIP as Critical Infrastructure
3CX is used by over 600,000 organisations for voice communications — including healthcare providers. Compromising a VoIP platform enables both espionage (intercepting communications) and lateral movement into customer networks. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses VoIP security and communications platform hardening.
Lessons

Supply chain risk is recursive. Your vendor's vendor is your attack surface.

The 3CX attack demonstrated that supply chain security cannot be addressed by evaluating only direct vendors — the entire chain of dependencies must be considered. For UK organisations, Cyber Essentials addresses direct supply chain security. Our infrastructure testing evaluates software update mechanisms and vendor trust relationships. SOC in a Box provides behavioural monitoring that detects malicious activity from legitimate-appearing software. And UK Cyber Defence's threat intelligence provides early warning of supply chain campaigns targeting specific platforms.

Supply Chain Depth

3CX was compromised through a compromised vendor. How deep does your supply chain risk go?

<a href="/penetration-testing/infrastructure">Infrastructure testing</a> assesses vendor trust. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects behavioural anomalies. <a href="https://www.cyber-defence.io/services/threat-intelligence">UK Cyber Defence</a> provides supply chain intelligence.

Commission a Supply Chain Assessment Next: Western Digital
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 28 February 2025

Anatomy of a Breach: Bybit — $1.4 Billion Stolen in the Largest Cryptocurrency Heist in History

Breach #194. In February 2025, cryptocurrency exchange Bybit was hit by the largest cryptocurrency theft in history — approximately $1.4 billion in Ethereum stolen in a single transaction. The attack, attributed to North Korea's Lazarus Group, more than doubled the previous record set by the Ronin Network heist ($620 million, 2022). The attackers compromised the multi-signature cold wallet signing process, manipulating the transaction to redirect funds. The theft demonstrated that North Korea's state-sponsored cyber theft programme had reached a new level of scale and sophistication.

bybit cryptocurrency
13 min read
Anatomy of a Breach 30 April 2022

Anatomy of a Breach: Ronin Network — $620 Million Stolen in the Largest Crypto Heist in History

Breach #160. On 29 March 2022, the Ronin Network — a blockchain bridge used by the popular play-to-earn game Axie Infinity — was breached, with approximately $620 million in Ethereum and USDC stolen. The theft was not detected for six days — it was only discovered when a user could not withdraw funds. The attack was attributed to North Korea's Lazarus Group, which used social engineering (a fake job offer via LinkedIn) to compromise a senior engineer's credentials and gain access to five of the nine validator nodes required to authorise transactions. The largest cryptocurrency theft in history — and it started with a LinkedIn message.

ronin-network axie-infinity
13 min read
Anatomy of a Breach 31 January 2016

Anatomy of a Breach: The Bangladesh Bank Heist — $81 Million Stolen Through the Global Banking System

Breach #085. In February 2016, hackers compromised Bangladesh Bank's connection to the SWIFT interbank messaging network and submitted 35 fraudulent transfer requests totalling $951 million. A series of fortunate accidents — including a misspelling that triggered a compliance flag — stopped most of the transfers, but $81 million was successfully routed to accounts in the Philippines and has never been fully recovered. The attack, attributed to North Korea's Lazarus Group, demonstrated that the global financial messaging system itself could be weaponised for theft at sovereign scale.

swift bangladesh-bank
14 min read
All Posts Get in Touch