The Zombie Zero supply-chain attack targeted robotics manufacturers as well as shipping and logistics firms, compromising systems for more than a year, according to new details from the analysis of the economic-espionage campaign provided by security firm TrapX Security.
Zombie Zero is a suspected nation-state attack, which compromised at least eight companies beginning in May 2013, according to TrapX's findings. Malware preloaded into a proprietary scanner used by global shipping-and-logistic companies compromised networks from the inside and, once updated with additional functionality by controllers in China, stole financial and shipping information, TrapX stated.
"It is absolutely tailor-made," Carl Wright, general manager of TrapX's North American operations, told eWEEK. "It was very selective. Not just so they could get the data, but so they could modify the shipping database. At a high level, they could make packages appear and disappear."
The original data and the additional focus on robotics firms were not part of the initial announcement, but were revealed during the ongoing analysis of the attack, Wright said. While TrapX would not name the maker of the scanners, Wright said that the name will be made public within the next three weeks, when the company makes additional details available.
Supply-chain attacks are rarely publicized, but often used to infect networks and systems that are otherwise inaccessible. Documents leaked from the National Security Agency by former contractor Edward Snowden suggested that a group within the NSA intercepted products shipped from the manufacturer and placed "implants" in the hardware or firmware that could be used to gather intelligence on hard-to-reach targets. In January, Cisco, Dell and other companies took the NSA to task for undermining the trust of international customers in their products.
In May, Cisco CEO John Chambers wrote a letter condemning the intelligence agency's tactics. "We simply cannot operate this way; our customers trust us to be able to deliver to their doorsteps products that meet the highest standards of integrity and security,” Chambers wrote in the letter obtained by Re/Code. “We understand the real and significant threats that exist in this world, but we must also respect the industry’s relationship of trust with our customers.”
The Zombie Zero attack may have a similar impact on the manufacturer of the scanning system, which TrapX believes is located in China near a university whose network has been used by the Chinese government in previous intelligence operations. The malware was incorporated into the devices by infecting the embedded Windows XP operating system and then shipping the devices to the target. TrapX determined that 16 of 48 scanners received by one customer were infected.
While the security firm has published some technical details of the attack, other security firms apparently have not detected the malware, TrapX's Wright said.
"It is absolutely not recorded anywhere," Wright said. The signature for the malware, usually encoded as an MD5 hash, does not appear in Virus Total. "The MD5 is not showing up anywhere else today."
While supply-chain attacks are rare, they are not uncommon and companies should develop a strategy to detect well-camouflaged attacks, Jon Heimerl, senior security strategist for Solutionary, said in a statement.
"The single biggest problem with this threat is that we don’t really know how big the threat is," he said.