Asus Response To 'ShadowHammer' Hack: No Apology, No Details

The response from Asus to a seemingly major compromise of its own PC update software lacks a specific accounting for what happened, raising further questions about the vendor's cybersecurity approach.

On Monday, cybersecurity firm Kaspersky Lab disclosed that Asus' Live Update software was compromised by hackers last year in order to deliver malware to users. The firm estimated that about 1 million users were affected by the malicious update, which was delivered between June and November of 2018. Symantec confirmed the attack on Monday.

[Related: 1M Asus PCs Compromised Through Vendor's Own Updates: Kaspersky]

Asus responded a day later, saying that it was deploying a fix to its Live Update software along with improved security such as added verifications and encryption. Asus blamed the attack on "Advanced Persistent Threat (APT) groups."

"Advanced Persistent Threat (APT) attacks are national-level attacks usually initiated by a couple of specific countries, targeting certain international organizations or entities instead of consumers," Asus said in its statement.

But the response stops short of giving specifics on what happened—such as explaining why the attacks were able to succeed—and ultimately does little to give the IT industry confidence in Asus' security approach, said Michael Oh, founder of Cambridge, Mass.-based solution provider TSP LLC.

"There's no explanation for the cause of the breach. There's really nothing explaining how somebody got in and used their legitimate certificate," Oh said. "It was almost like they were checking off a few boxes [with the response], and hoping nobody would ask more questions."

In addition, "there's no apology, and there's no acknowledgment or thank you to Kaspersky" for discovering the attack, Oh noted.

Anyone in IT—especially anyone in security—would be unimpressed by the response, he said.

"I think this goes to show how little they think of security incident management," Oh said. "There's an implication there that they are not approaching security in the right way."

Asus did not immediately respond to a request for comment.

Notably, the statement from Asus takes the approach of responding to "media reports" rather than to the attack itself.

The statement also indicates that only a "small number of devices" were affected, seeming to contradict Kaspersky Lab's findings.

Kaspersky Lab said it had so far uncovered more than 57,000 users with the backdoored utility. The firm has referred to the hack, which it's calling "ShadowHammer," as "one of the biggest supply-chain attacks ever."

Asus did appear to agree with Kaspersky Lab's assessment that hackers only meant to target a relatively small number of users with the attack.

In response to the "sophisticated attack," Asus has "introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism," the company said in its statement. "We have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future."

If it was in fact a nation-state attack, Asus could have used the incident to "create at least a little bit of a narrative around this" that would account for why the attacks were a success, Oh said. Asus could have said, "Yes, it's a nation state, and they used some really advanced capabilities to hack into our systems," Oh said.