By 
The sophisticated operation took place between June and November 2018
According to Kaspersky Lab, over 1 million ASUS users could have been affected after attackers managed to insert a backdoor in the ASUS Live Update utility.
ASUS Live Update, pre-installed on most ASUS computers, is used to automatically update mechanisms like BIOS, UEFI, drivers and applications. The actors, in a bid to conceal malevolent activity, also used a pilfered digital certificate with which ASUS signs genuine binaries.
The security company says that although the classy supply chain attack, ShadowHammer, occurred between June and November 2018, it was only discovered in January 2019.
According to Kaspersky Lab’s security researchers, the attackers, who sought to compromise only a handful of users, targeted only 600 specific MAC addresses, for which the hashes were hardcoded into different versions of the utility.
Although the researchers couldn’t ascertain the precise number of users who downloaded and installed the backdoored tool, they are sure that the object of ShadowHammer was to surgically target an unidentified pool of users, which were recognized by their network adapters’ MAC addresses.
The attackers hardcoded a list of MAC addresses in the Trojanized samples, which let them to classify the projected targets of the operation. Although the security personnel pulled out 600 unique MAC addresses from 230 unique samples, other samples might target diverse MAC addresses.
The cybersecurity attackers injected malevolent code in versions of ASUS software, signed the Trojanized versions with genuine credentials, and hosted and disseminated them from official ASUS update servers, which helped them remain unnoticed.
Kaspersky Lab says that possibly every user of the affected software could have become a victim, the core object of the attackers was to gain access to several hundreds of users, which they already knew.
Once performed on a victim’s device, the backdoor would check the MAC address against a table and continued to download the stage of malevolent code only when finding a match. Else, the malware, to remain concealed, would not do network activity.
Given the integrated approach and extra preventive measures to avert accidental code or data leakage, the actors behind ShadowHammer seem focused on remaining undetected.
According to Kaspersky, in-depth technical evaluation proves that the attackers were equipped with the latest technology. The security firm also says that, based on the techniques used to perform code and other items, the coordinated cyber attack is probably related to BARIUM APT, with the actor thought to be working under the Wionnti umbrella.
