Hijacked ASUS Live Update software installs backdoors on countless PCs worldwide

ASUS reportedly distributed the hijacked software to users last year.
Written by Charlie Osborne, Contributing Writer

A cybercriminal campaign focused on targeting the supply chain through the exploitation of ASUS Live Update software may have involved the installation of backdoors on over one million PCs.

On Monday, researchers from Kaspersky Labs said the attack was first detected in January 2019. It is believed that the campaign, dubbed Operation ShadowHammer, took place between June and November 2018 and has potentially compromised countless users -- despite there being only a small list of individuals the hackers wished to target.

Operation ShadowHammer leverages the ASUS Live Update Utility, which comes pre-installed on the majority of ASUS computers.

ASUS Live Update is intended for ensuring computer systems, such as drivers, apps, BIOS, and UEFI all receive upgrades and patches when they are due, but it is this valuable utility that cyberattackers have managed to compromise.

Kaspersky was able to track down over 57,000 of its own customers that unwittingly downloaded and installed the malicious software and while the cybersecurity firm is unable to provide direct figures of all those affected, the firm says that it estimates "the real scale of the problem is much bigger and is possibly affecting over a million users worldwide."

See also: OceanLotus adopts public exploit code to abuse Microsoft Office software

Kaspersky believes the attack remained undetected for so long as the software was signed with legitimate ASUS security certificates, such as with "ASUSTeK Computer Inc." The updaters themselves were also hosted on the legitimate ASUS update domains, liveupdate01s.asus[.]com and liveupdate01.asus[.]com, which further ensured that Operation ShadowHammer remained under the radar.

ASUS may have unwittingly spread malicious software to thousands of users through its update system. However, the cyberattackers appeared to be focused on a list of only 600 targets, hardcoded into the malware and identified by the unique MAC addresses used by their network adapters.

If a victim was identified through the malware's "surgical" filtration methods, then the trojanized software would install a backdoor and download additional payloads on to their machine. The researchers say that if you downloaded the software and backdoor but are not on the target list, the malware does nothing further.

The cybersecurity firm deems Operation ShadowHammer a "very sophisticated supply chain attack" which has surpassed past Shadowpad and CCleaner attacks in its complexity.

While attribution is not solid as of yet, the team says there is enough evidence to link the threat actors to the 2017 ShadowPad incident, which have been identified by Microsoft as the work of the Barium group (.PDF).

This advanced persistent threat group (APT) has also been connected to the recent installation of backdoors in Asian gaming services.

The majority of victims are in Russia, followed by Germany, France, and Italy. (However, these figures are based on Kaspersky customers only and so may not tell the full story.)


Kaspersky informed ASUS of the supply chain attack at the end of January. However, Motherboard reports that the PC giant has "been largely unresponsive" since meeting with Kaspersky representatives on this issue.

TechRepublic: Why site reliability engineers face more security incidents and higher stress levels

ASUS denied its servers were compromised when informed of the findings and continued to use one of the compromised certificates involved in the attack for at least a month after notification. The Taiwanese firm has since stopped, but the certificates are yet to be revoked.

The attack has been confirmed by Symantec. ZDNet has not received a response from queries sent to ASUS at the time of writing.

While the full scale of the attack is yet to be exposed, Kaspersky has provided a tool for users to check and see if their ASUS Live Update software build contains a backdoor. You can access the tool on Kaspersky's blog post.

CNET: This data breach response tool tells you what to do next

The investigation into Operation ShadowHammer is still ongoing and the results, alongside a technical paper, will be published at the Kaspersky Security Analyst Summit (SAS) in April. 

These are the worst hacks, cyberattacks, and data breaches of 2018

Previous and related coverage

Editorial standards