Kaspersky Lab\u2019s dealings with ASUS after revealing the Taiwanese computer brand\u2019s live software update tool was being used to install a malicious backdoor on its customer\u2019s computers were marred by a language barrier, the timing of Lunar New Year and wrangling over a non-disclosure agreement, it has been revealed.\n \nThe Russian security firm \u2013 whose researchers uncovered the advanced persistent threat campaign \u2013 said last week at its Security Analyst Summit in Singapore that it first contacted ASUS about the attack on January 29, in the midst of the Chinese New Year celebrations.\n\u201cThey expected some greetings for the new year, instead we reported a big, big problem,\u201d said Kaspersky Lab\u2019s Global Research and Analysis Team (GReAT) APAC director Vitaly Kamluk.\n \nIn the weeks following, Kaspersky provided ASUS with its findings about the attack \u2013 dubbed ShadowHammer \u2013 in a number of face to face meetings and conference calls.\n \n\u201cThe whole thing happened at a very unfortunate time, it was just before the Lunar New Year \u2013 for us in Europe it doesn\u2019t mean anything, but over here and in the region it\u2019s a big thing. People take vacations. Of course this is a serious thing and maybe we ruined some people\u2019s vacations, I\u2019m sure of that,\u201d GReAT director Costin Raiu told CIO Australia.\nCostin Raiu details ShadowHammer at Kaspersky Lab security summit. Suhaimi Abdullah\/Getty Images\nDuring virtual and in-person meetings on January 31, February 14 and 20, communication suffered due to a lack of a shared language. In similar cases \u2013 such as the ShadowPad supply-chain attack made through South Korean firm NetSarang\u2019s software \u2013 Kaspersky had a native Korean speaker.\n\u201cIt\u2019s different than having information through a translator translating, it adds an additional barrier in the communication,\u201d Raiu explained.\n \nPush to go public\nAlthough ASUS provided Kaspersky with relevant update archives and information, the company was reticent to go public with the attack. ASUS did not respond to questions about its response to the attack in multiple emails and calls at the time of publication.\n\u201cThere was a discussion of course; what happens next. Normally we inform victims andhellip;we encourage them to go public first, together with us to explain what happened, explain what actions have been done, and how big is the problem, whether it was contained or not,\u201d Kamluk said.\n \nWith NetSarang, for example, a joint press release went out with comment from both companies and apologies from the vendor.\n\u201cWe of course explained this to them. We offered our help and assistance in investigatinghellip; They said they need time to think about the strategy,\u201d Kamluk added.\nKaspersky itself held back initially as it wanted to first understand more about the nature and extent of the APT, and not cause unnecessary \u201cpanic around the world\u201d.\n \n\u201cIt\u2019s possible the attackers are still in the ASUS networks and we won\u2019t achieve anything, they might send a wiper to everybody and very quickly, overnight wipe a million computers,\u201d said Raiu.\n \nRaiu confirmed that ASUS had wanted Kaspersky to sign a non-disclosure agreement. While that is common practice when dealing with supply chain attacks, the NDA would have stopped Kaspersky from revealing anything about the attack, Raiu said.\n \n\u201cWe felt we had a duty to go public with information about the attack because so many people were affected and an NDA would have prevented us from going publichellip;we thought it\u2019s in the public interest to make the information available,\u201d Raiu said.\n \nOne may be signed in the near future, however.\n \n\u201cUp to this moment we haven\u2019t signed it yet is the correct interpretation,\u201d Raiu added.\n \nWith any risk of ShadowHammer being a false positive now gone, and confident the attack had ended by November 2018, Kaspersky continued to push ASUS to alert customers.\n \nVitaly Kamluk shares ShadowHammer findings at Kaspersky security summit. Suhaimi Abdullah\/Getty Images\n\u201cI told them that it is something that cannot be silenced,\u201d Kamluk said. \u201cWe told them we will blacklist your certificate and people will see it in alerts. There will be security researchers asking about this, it will be noticed, and there is your name in the certificate that you cannot get rid of, so everybody will know that your compromised and it cannot be silenced.\u201d\n\u201cSo we went public,\u201d he added.\n \nNo thanks\nKaspersky published details of the attack on its SecureList blog and in a story in Motherboard on March 25.\n \nThe following day, ASUS published a \u201cresponse to the recent media reports\u201d. In it the company claimed \u201conly a very small number of specific user group were found to have been targeted\u201d by the attack and that \u201cit is extremely unlikely that your device has been targeted\u201d.\n \nThis \u201csmall\u201d user group is in reference to the hardcoded list of MAC addresses in the malware, numbering around 600. Once it infected a system with one of the specified MAC addresses, the malware contacted an attacker controlled server to install further malware elements.\n \nCuriously, within ASUS\u2019 response, the company links to a generic web page about APT groups by Kaspersky rival FireEye.\n \n\u201cIt\u2019s weird. I expected at least a 'thank you guys, thank you for reporting' but there was nothing. Something broke there internally, perhaps someone got angry because we decided to go public earlier, I don\u2019t know,\u201d said Kamluk.\nThe \u201cweird\u201d response from ASUS is not unusual behaviour from computer-makers, Kamluk said.\n \n\u201cVendors are normally are quite annoyed by reporting of their security issueshellip;It wasn\u2019t the same with ASUS. They were not aggressive. They didn\u2019t, at least publicly, appreciate our help, they didn\u2019t credit us, but they were not aggressive. They didn\u2019t try to lie. They didn\u2019t try to deny things because other vendors do,\u201d he said.\n \nIt is not the first time ASUS has suffered from poor security issues and kept customers in the dark. In 2016 the company settled Federal Trade Commission chargesthat critical security flaws in its routers put the home networks of hundreds of thousands of consumers at risk.\n \nThe commission said that ASUS \u201cdid not address security flaws in a timely manner\u201d nor did it \u201cnotify consumers about the risks posed\u201d or alert them to the availability of security updates.\n \nThis time around \u2013 the day after the Motherboard article\u2013 ASUS has implemented a fix in the latest version of its Live Update software. It has also \u201cintroduced multiple security verification mechanisms\u201d.\n \n\u201cAt the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future,\u201d the company said last month.\n \nASUS and Kaspersky have released diagnostic tools for users to check if their systems are affected. Kaspersky also has a MAC address look-up service, to see if user addresses match those hardcoded in the backdoor code.\nThe author travelled to the Security Analyst Summitas a guest ofKaspersky Lab.