An Asus laptop for an article on the ShadowHammer malware attack.

A highly sophisticated cyberattack designed to look like a routine software update misled more than 57,000 Asus laptop owners, mostly in Russia, into installing malware that granted “backdoor” access to their computers, says the security company Kaspersky Lab.  

The attack, named Operation ShadowHammer, was discovered by Kaspersky in late January and reported by the tech publication Motherboard on Monday. The hackers used a software update tool housed on an official Asus server and a genuine Asus certificate to push the malware out to about 1 million device owners.

It's unclear how many laptop owners in the U.S. were infected. Asus has just released an online diagnostic tool—available here— that consumers can use to see whether their laptop is among them. (We gave it a try on an Asus laptop in our labs and learned that the computer wan't affected.)

If your Asus laptop is one of those infected, the company has offered a solution, which is detailed below. 

More on digital security

“To a user, this appeared to be a legitimate software update,” says Costin Raiu, director of the global research and analysis team at Kaspersky. “This is a very difficult attack for the average consumer to detect.”

Brian Vecci, field chief technology officer at the security firm Varonis, adds: “It’s a deeply insidious attack. The hackers got into the supply chain and tricked Asus into delivering the malware directly. The onus is on the manufacturer to lock this down.”

Privacy and security advocates say that attacks of this kind are especially troubling because they leave consumers wondering whether they should trust software updates in the future.

"Companies like Asus need to take whatever security measures are necessary to make sure this can't happen again,” says Katie McInnis, policy counsel for Consumer Reports. She notes that Asus was slow to respond with guidance for customers, given that the company knew about the attack for almost two months and remained silent on the day news of the attack broke.

What You Can Do

According to security experts, the ShadowHammer attack is unusual in other ways, too. Kaspersky confirmed that tens of thousands of machines, mostly located in Russia, were compromised when people fell for the phony update notice.

But once installed, the malware uses the backdoor access to “surgically target” 600 computers—uniquely identified via their Media Access Control addresses—with additional malware, Kaspersky reports in a blog post.

If your computer is infected, Asus suggests backing up your files and then restoring your operating system to factory settings. "This will completely remove the malware from your computer," the company explains.

You can then download the latest version of Asus Live Update (3.6.8), which is malware-free, according to Asus. The manufacturer has provided instructions on its website to help with that.

Kaspersky has also created a tool to help consumers determine whether they own a computer targeted in the attack. You simply download the app and double-click on it. (We gave this one a try, too, and got the same result.)

Consumer Reports has long advised consumers that installing regular software updates is one of the best ways to protect their devices and data. And despite the compromised update used in this exploit, that advice holds true.

“The risk of making your machine vulnerable to all kinds of malware by not installing an update is much higher than the chance of becoming the victim of an attack disguised as a update,” says Maria Rerecich, senior director of product testing for Consumer Reports.

If you use security software from a service such as Kaspersky, McAfee, or Symantec to protect your computer, this would be a good time to update that, too, she adds. For a list of CR-recommended options, click here.

This isn’t the first time that a security glitch involving Asus has left consumers vulnerable. In 2016 the company signed a consent decree with the FTC after “critical security flaws in its routers put the home networks of hundreds of thousands of consumers at risk,” according to an FTC press release.

“In many instances, Asus did not address security flaws in a timely manner and did not notify consumers about the risks posed by the vulnerable routers,” the FTC added.

Editor's Note: This article was updated to include information from Asus on how to identify a targeted laptop and remove the malware.