Cyber Incident Victim: Able Software
Date:
Jun 2020
Location:
Mongolia
Summary
A supply chain attack targeted a widely used Mongolian government chat application, Able Desktop, compromising its update mechanism to distribute malware through official channels. The attackers delivered trojanized updates containing the HyperBro backdoor and replaced PlugX with Tmanager as their remote access tool, enabling persistent access to high-value targets across multiple ministries and agencies. Security researchers attributed the campaign to Chinese state-linked advanced persistent threat groups, citing overlaps with tools and infrastructure historically associated with clusters like LuckyMouse, TA428, and ShadowPad operators, suggesting coordinated espionage activities leveraging shared resources. The breach exploited the software's centralized update system, impacting hundreds of government entities through trusted distribution pathways.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The incident involving Able Software began with prior attacks targeting its Able Desktop chat application as early as 2018. Attackers distributed trojanized versions of the app’s installer via email, attempting to trick Mongolian government employees into installing malware. These initial campaigns delivered the HyperBro backdoor and PlugX remote access trojan, leveraging the app’s widespread adoption across over 430 government agencies, including the Office of the President, the Ministry of Justice, the Ministry of Health, law enforcement, and local governments. The attackers escalated their operations in June 2020 by compromising Able Software’s backend update distribution system. This supply chain attack allowed them to push malicious updates through the legitimate delivery mechanism on at least two occasions, replacing PlugX with the Tmanager remote access trojan while continuing to deploy HyperBro. The exact scope of the June 2020 compromise remained unclear, as investigators could not determine whether malware was delivered to all Able Software clients or only specific targets.
Security firm ESET identified the attacks but could not definitively attribute them to a single threat actor. The malware strains and infrastructure—including ShadowPad—had historical ties to multiple China-linked advanced persistent threat (APT) groups such as LuckyMouse, TA428, CactusPete, TICK, IceFog, KeyBoy, and the Winnti umbrella group. ESET theorized these groups might share tools, collaborate, or operate under a centralized command structure. Avast independently corroborated the Chinese espionage link in a separate report. The attackers’ shift to compromising the update server marked a strategic evolution from earlier email-based distribution methods. ESET notified Able Software about the breach but provided no further details regarding containment measures or the victim’s response. The incident exposed sensitive government systems to potential data exfiltration and remote control due to the privileged access granted by the malware.