EvLog - isotope¹³

Incident Summary

Altair EvLog update delivered Kingslayer malware.

Attackers compromised update mechanisms for Altair Technologies' EvLog event log management software. Altered versions, signed with a stolen private key, were distributed containing the 'Kingslayer' malware which provided backdoor access, targeting telecom and military organizations primarily between April and July 2015.

Date: 2015-04-01 to 2015-07-31
Category: Commercial
Target Surface: Distribution
Insertion Phase: distribution
Impact: Backdoor
Cause: Stolen certificates/keys

What Was Affected

Package EvLog

ComponentApplication

Artifact typebinary archive

Domain typeproject download host

Domain altairtech.com

Compromised Versions

EvLog versions updated between April-July 2015

Incident Context

Motive: Espionage
Attribution: Unknown attacker
Transitive: No
User Impact: 100
Observed Duration: 121 days

Evidence

Compromised Artifacts

Compromised EvLog update packages distributed via Altair Technologies' official update channels.

Current Artifacts and Analysis

web.archive.org/web/20170726040823/https://www.comsecglobal.com/kingslayer-a-supply-chain-attack

Indicators and Changes

Hashes

sha256:caea901a301b9c103d90b8539819e050e57b67c6ff4d7863ad1cd549f5fdc2af
sha256:383d60bffd5dc64e38893361cb03939bc8c6d5e476dc70755eb0886947e51661
sha256:7aa474d0d39a41768149f413c451e9208f73af4d262b6575ada31644f5699153
sha256:15113f237b29f51c78f315db7d815c5ed1340f52b500f66979edb153515910d7
sha256:72ccf28f4636403249d87721e802140ccae2248b810860f8c5d4f33d07363597
sha256:4286ecd104cf0667064ad008e5ac9ffa33a0f7858bb745d533fdb30369e89dd4

External References

securityaffairs.com/58864/cyber-crime/operation-wilysupply-hacking.html

Source Data

Source record: proprietary/evlog/meta.yaml