A Historic First in Supply Chain Security
In March 2023, security researchers at CrowdStrike and Mandiant uncovered what they described as the first publicly documented instance of one supply chain attack directly causing another. The 3CX desktop application, a widely used VoIP and video conferencing client, had been trojanized through its official build process. But the root cause was not a compromise of 3CX's own infrastructure — it was traced back to a separate, earlier supply chain attack on Trading Technologies, a financial software firm. This cascading chain-of-compromise represents a new paradigm in third-party risk management.
The Attack Chain
Step 1: The X_TRADER Compromise
The attack began when the North Korean state-sponsored threat group known as Lazarus Group (also tracked as UNC4736 by Mandiant) compromised Trading Technologies' X_TRADER software, a professional trading terminal. The attackers trojanized the X_TRADER installer, inserting a backdoor that was signed with a legitimate Trading Technologies code-signing certificate. X_TRADER had been officially decommissioned in April 2020, but the compromised installer remained available for download, and some users continued to install it.
Step 2: The 3CX Employee's Machine
A 3CX employee downloaded and installed the compromised X_TRADER application on their personal computer. The backdoor in X_TRADER gave the Lazarus Group access to the employee's machine, from which they were able to harvest corporate credentials. Using those credentials, the attackers gained access to 3CX's build environment.
Step 3: The 3CX Desktop App Trojanization
With access to 3CX's build infrastructure, the attackers inserted malicious code into the 3CX Desktop App for both Windows and macOS. The trojanized versions were distributed through 3CX's official update mechanism beginning in late March 2023. The malware-laden applications were signed with 3CX's legitimate code-signing certificate, making them appear trustworthy to endpoint security tools and users.
The malicious code was designed to contact attacker-controlled command-and-control servers, download additional payloads, and potentially deploy information-stealing malware on victim systems. CrowdStrike detected the activity on March 29, 2023, and published an advisory identifying the compromised versions.
Scale of Potential Impact
3CX stated that its phone system was used by more than 600,000 companies and 12 million daily users worldwide, with customers including major enterprises, government agencies, and healthcare organizations. While the actual number of organizations that installed the trojanized version and were further compromised remains smaller than the total customer base, the potential blast radius was enormous.
| Factor | Detail |
|---|---|
| Threat Actor | Lazarus Group (North Korea) / UNC4736 |
| Initial Vector | Trojanized X_TRADER installer from Trading Technologies |
| Second Vector | Trojanized 3CX Desktop App via official update channel |
| 3CX Customer Base | 600,000+ companies, 12 million+ daily users |
| Platforms Affected | Windows and macOS |
| Historical Significance | First known supply-chain-causes-supply-chain attack |
Why This Changes Third-Party Risk Management
- Software build integrity is critical. The attack succeeded because the trojanized apps were distributed through 3CX's legitimate update channel with valid code signatures. TPRM programs should assess whether vendors implement build integrity controls such as reproducible builds, build environment isolation, and binary signing verification.
- Decommissioned products remain risk vectors. X_TRADER had been officially decommissioned by Trading Technologies, yet the compromised installer was still accessible. Vendor lifecycle management must track not only active products but also verify that decommissioned products are removed from distribution channels.
- Employee personal devices as bridge vectors. As with the LastPass breach, a personal device served as the bridge between two separate corporate environments. TPRM assessments should evaluate vendor policies on employee use of unauthorized software and whether corporate credentials can be accessed from unmanaged devices.
- Nation-state actors target the supply chain strategically. Lazarus Group, a North Korean APT, chose the supply chain path deliberately. Nation-state actors recognize that compromising one vendor can provide access to thousands of downstream targets. TPRM risk models should incorporate threat actor capability assessments for vendors that are attractive supply chain targets.
Applying FAIR to Cascading Supply Chain Risk
Modeling cascading supply chain attacks with FAIR requires treating the initial vendor compromise as a threat event that changes the threat landscape for all downstream vendors. The contact frequency and probability of action for downstream compromises become conditional on the upstream breach. This creates a correlated risk scenario that organizations must model explicitly — a single upstream vendor compromise can simultaneously elevate the risk across dozens of downstream vendor relationships. FAIR's decomposition approach is well-suited to this analysis because it allows organizations to model each link in the chain separately and then assess the combined probability and magnitude.
Protect Your Organization from Third-Party Risk
Fair TPRM is a free, open-source platform for vendor risk management, GRC compliance, and FAIR risk quantification.
Free Demo Download SourceSources & References
- 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise - Mandiant
- CrowdStrike Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers - CrowdStrike
- 3CX DesktopApp Security Alert - 3CX Official Advisory
- Supply Chain Attack Against 3CXDesktopApp - CISA Alert
- X_Trader Supply Chain Attack Affects Critical Infrastructure - Symantec Threat Intelligence