Chinese Hackers Infect South Korean VPNs with Malicious Code!

Hackers with alleged ties to China, as reported by ESET Research, have successfully breached the South Korean VPN service IPany in a strategic supply chain attack, placing numerous users at risk by infecting them with malware. The cybercriminals penetrated the software development process of IPany, incorporating harmful code into the NSIS installer used for its VPN software on Windows platforms.

This elaborate scheme facilitated the spread of a specialized backdoor, termed “SlowStepper,” to users who were unaware of the compromise. This incident serves as yet another prominent indicator of how vulnerabilities within supply chains can be leveraged for cyber espionage purposes.

Discovered initially in May 2024 by the Slovakian cybersecurity team at ESET, the breach involved tampering with the installer distributed via IPany’s official website to include the SlowStepper backdoor. This complex malware enables attackers to steal sensitive information, carry out commands, and sustain a prolonged presence on the infiltrated systems. Users who thought they were downloading legitimate software updates were unknowingly allowing attackers deep access into their systems.

“Victims had apparently manually downloaded a ZIP file that contained the malicious NSIS installer from the URL https://ipany[.]kr/download/IPanyVPNsetup.zip,” stated Facundo Muñoz, an ESET researcher, in a blog post.

The perpetrators, identified as PlushDaemon, are part of a Chinese advanced persistent threat (APT) group that has been active since at least 2019. PlushDaemon specializes in commandeering legitimate software distribution systems to deploy their malicious payloads. In this instance, they accessed and modified the installer in IPany’s software repository, ensuring its distribution through the official channels. Their strategy often involves rerouting genuine traffic to servers they control to push malicious updates, a typical sign of supply chain attacks.

China hosts several active APT groups that consistently engage in cyber espionage against the United States and its allies. For example, the Chinese APT group Salt Typhoon recently compromised American broadband providers, though the investigation was hindered when President Trump dismissed the overseeing cyber safety board.

The rise of PlushDaemon, a sophisticated and newly prominent China-aligned APT group with a varied arsenal and extensive history, underscores the escalating cyber threat landscape. Security experts are advising organizations to heighten their vigilance against such sophisticated threats. The IPany incident is a clear reminder of the susceptibility of even the most trusted service providers to cyber-attacks, emphasizing the need for a forward-thinking security posture.