The cybersecurity firm Mandiant has discovered the origin of the breach of 3CX, a Voice over Internet Protocol (VoIP) provider, whose software was corrupted by hackers linked to North Korea. Mandiant found that a 3CX employee’s computer was hacked through a software-supply-chain attack that hijacked an application of the financial software firm Trading Technologies.

That attack allowed the hackers to spread their access through 3CX’s network, corrupt a 3CX installer application, and infect hundreds of thousands of its customers. This was a rare example of how a single group of hackers used one software supply chain attack to carry out a second one, which Mandiant called a “supply-chain chain reaction.”

The North Korean hacker group responsible for this attack, known as Kimsuky, Emerald Sleet, or Velvet Chollima, is believed to be working for the North Korean regime.

The group is focused on stealing cryptocurrency, and a broad supply chain attack like the one that exploited 3CX’s software would “get you in places where people are handling money,” according to Ben Read, Mandiant’s head of cyber espionage threat intelligence.read-only system files and TCC (Transparency, Consent, and Control), which offer protection against ransomware attacks, but these features remain untested and may contain flaws.