.png)
3CX Supply Chain Attack 2023: One Compromise Enables Another
Breach Summary
The 3CX supply chain attack of March 2023 was the first documented case of one supply chain attack being used to enable a second supply chain attack — North Korean Lazarus Group operators compromised a 3CX employee's personal computer through a malicious trading software package, then used that access to trojanize 3CX's legitimate desktop application, which was installed by hundreds of thousands of businesses worldwide.
What Happened
CrowdStrike and Mandiant discovered the trojanized 3CX application in late March 2023. 3CX issued an advisory on March 29, 2023, and released a clean application version on March 30. Analysis revealed the attack had been active for approximately two weeks before discovery. Mandiant's investigation traced the initial compromise to the X_Trader software, establishing the first documented instance of a supply chain attack enabling a second supply chain attack. Lazarus Group's targeting appeared focused on financial services firms in the US and UK.
Attack Vector Detail
The attack chain began with Trading Technologies' X_Trader software, which North Korean Lazarus Group had trojanized in 2021. A 3CX employee installed the malicious X_Trader software on their personal computer. The malware then pivoted to the employee's work systems and eventually to 3CX's build environment. Lazarus Group operators modified 3CX's Electron desktop application build to include a malicious DLL that executed during application startup. The trojanized 3CX application was signed with 3CX's legitimate certificate and distributed through the official update channel to 3CX customers worldwide.
Breach Pattern Timeline
Pre-March 2023
North Korean state-sponsored Lazarus Group sub-cluster (Mandiant tracks as UNC4736) compromises 3CX, a popular VoIP/PBX software vendor with 600,000+ customer organizations including American Express, Mercedes-Benz, Coca-Cola, and Toyota.
February 2023
Attackers inject malicious code into the 3CX DesktopApp Electron build pipeline. Trojanized installers distributed for Windows and macOS via 3CX's official update mechanisms — signed with 3CX's legitimate code signing certificate.
March 22, 2023
SentinelOne detects suspicious behavior from 3CX DesktopApp on customer endpoints. Begins investigation.
March 29, 2023
Mandiant, CrowdStrike, and SentinelOne publicly confirm the 3CX supply chain compromise. 3CX confirms the breach. Industry-wide emergency response begins.
March 30, 2023
Mandiant attributes 3CX to UNC4736 (North Korea-aligned). Notably, the 3CX compromise itself was caused by ANOTHER supply chain compromise: a 3CX employee had installed a trojanized version of X_TRADER (a 2022 financial trading software supply chain attack also attributed to North Korea).
April 2023
First documented 'cascading supply chain attack' — North Korea compromised X_TRADER → which led to 3CX compromise → which led to 3CX customer compromises. Foundational precedent for second-order supply chain risk.
April-July 2023
3CX releases clean rebuilt versions. Customers globally rotate certificates and conduct compromise assessments. Mandiant attributes 3CX/X_TRADER to North Korea's Lazarus Group sub-cluster, motivated by cryptocurrency theft and intelligence collection.
2024-2026
Industry-wide adoption of software supply chain attestation (SLSA framework, SBOM via EO 14028) accelerates significantly. 3CX becomes the canonical example of cascading supply chain attacks and the limits of code signing.
Total impact: 600,000+ 3CX customers exposed (subset compromised), first documented cascading supply chain attack via X_TRADER → 3CX, foundational precedent for software supply chain attestation requirements and cascading vendor risk assessment.
Executive Lessons
3CX established that a supply chain attack can propagate through multiple organizations in a single campaign — 3CX's customers were breached via 3CX, whose own developers were breached via Trading Technologies. This multi-stage supply chain compromise demonstrated that software supply chain security requires looking not just at direct vendors but at vendors' vendors. The Lazarus Group's patience — compromising Trading Technologies first, then waiting for 3CX to deploy the compromised library — reflects a level of operational planning that commodity threat actors cannot match.
Related Reading
Private Equity Implications
The 3CX attack demonstrated that digital signatures — a commonly cited supply chain security control — are insufficient when the software supplier itself is compromised. For PE portfolio companies that develop and distribute software, build environment security is the most critical supply chain security control. A compromised build environment can sign and distribute malicious code with the company's own legitimate certificate, defeating downstream signature verification.