Mar 25, 2019

"Operation Shadowhammer" hacker group invades ASUS computers

A sophisticated group infected tens of thousands of ASUS brand computers with malware in a scheme to target a small handful of users, Kaspersky Lab reports. The attacks came through the official software update program ASUS Live Update Utility.

Why it matters: The operation, dubbed "Operation Shadowhammer," appears to come from a motivated, technologically adept threat — someone sophisticated enough to breach a major technology firm, patient enough to compile technical details about their intended victims to use during the attack and motivated enough to infected anyone updating their ASUS system to reach only a handful of victims.


  • Shadowhammer signed the malware it sent through the ASUS Live Update Utility using ASUS's security certificates, instructing computers to treat the malware as legitimate software updates. Companies treat certificate data as one of their most guarded secrets to prevent hackers from doing this.
  • Shadowhammer's malware checked if a system it infected was a pre-written list of around 600 computers it was specifically looking for, using unique identifiers in the networking hardware known as MAC addresses.
    • That means Shadowhammer had advance knowledge of the systems it most wanted performing follow up attacks against.

By the numbers: Kaspersky detected more than 57,000 different systems that tried to install the Shadowhammer malware. That number only includes the systems Kaspersky software protects.

Go deeper