Microsoft has filed a lawsuit against the Fox Tempest service, which sold 'signed' malware to cybercriminals and has already infected thousands of systems worldwide. In parallel, the Nitrogen group claimed to have stolen 8 TB of data from Foxconn, one of the key electronics manufacturers for Apple and Google.

The cybercrime market has formed a new segment - malware-signing-as-a-service: attackers no longer break infrastructure but buy a legal digital 'stamp of trust' for their code. Microsoft has publicly struck at such a platform for the first time, filing a legal lawsuit against Fox Tempest and shutting down key elements of the service's infrastructure. Against this backdrop, the industry is discussing the fresh attack by the Nitrogen group on Foxconn with the theft of 8 TB of confidential data and the shutdown of part of the production processes. For companies in Kazakhstan and Central Asia, this is a signal: classic perimeter protection no longer saves if your software is 'signed' and comes through global supply chains.

The Fox Tempest Service and the New Malware-Signing-as-a-Service Model

Microsoft has revealed details of the operation against the Fox Tempest service, which, since May 2025, has been providing cybercriminals with a malware signing service as if it were legitimate software. According to the company, the service's business model was extremely simple: Fox Tempest gained unauthorized access to code signing tools, including Microsoft's Artifact Signing system, and then sold customers the ability to sign any binary files. As a result, malicious code appeared as trusted software and successfully passed both technical and organizational security filters.

Microsoft recorded that thousands of infections and a whole range of attacks, including ransomware distribution and backdoor insertion into corporate networks, were carried out through Fox Tempest. The service was positioned as a platform for 'artifact signing', while cybercriminals independently packaged their own software and deployed attacks on end customers. According to Microsoft, the business model of Fox Tempest brought its creators millions of dollars in revenue, highlighting the maturity and commercialization of the crime-as-a-service market.

For IT teams, this means that one of the key pillars of trust - digital signatures - can no longer be perceived as a guarantee of security. If previously the main focus was on checking for the presence of a signature and the validity of the certificate, now it is necessary to analyze the context: the source of distribution, abnormal application behavior, links to known malicious infrastructure. Companies like Alashed IT (it.alashed.kz), which outsource IT and cybersecurity for businesses in Kazakhstan and the region, are already forced to restructure their control procedures: implement behavioral analytics, strict allow-listing rules, and check the software supply chain, even if the binary file is signed by a trusted vendor. In practice, this means reviewing policies in EDR, CI/CD, and MDM systems, as well as training development and exploitation teams on new code verification requirements.

Microsoft's Legal Strike and the Scale of the Fox Tempest Technical Shutdown

Microsoft went beyond the usual technical blocking and initiated legal action against Fox Tempest in the United States District Court for the Southern District of New York. This step is important for the global corporate sector: for the first time, a major vendor publicly qualifies a malware-signing-as-a-service platform as a targeted criminal infrastructure against which both legal and technical measures can be applied. As part of the operation, Microsoft shut down the signspace[.]cloud domain, which was the public front end of the service, and took down hundreds of virtual machines that provided the bulk of Fox Tempest's infrastructure.

At the same time, resources where the source code of key platform components was stored were blocked. This is critical because such services often quickly'resurrect' in the form of forks and clones, relying on already developed certificate processing modules and integration with cloud providers. Preventing the distribution of code complicates the launch of service copies in other jurisdictions and reduces the risk that Fox Tempest will simply change its name and continue to operate in a few weeks.

Another important point for businesses is that Microsoft has officially acknowledged that attackers abused Artifact Signing - an internal mechanism designed to guarantee software integrity in the Microsoft ecosystem. This means that potentially customers who relied on this infrastructure as a 'gold standard' of trust could have been affected. Corporate customers now have to revise their strategy: include scenarios of third-party signing service compromise in threat modeling, regularly audit certificate trust policies, and use independent reputation sources.

Companies like Alashed IT (it.alashed.kz) are already receiving requests from clients to audit trust chains: which certification centers are used, how often policies are reviewed, and what revocation and monitoring mechanisms are in place. From a practical point of view, IT directors and CISOs need to implement centralized control over the use of signed code in all environments - from workstations to container clusters and production automation systems in the coming months.

The Nitrogen Attack on Foxconn and the Vulnerability of Manufacturing Giants

Parallel to the Fox Tempest story, the industry is discussing another alarming signal for global supply chains: the ransomware group Nitrogen's attack on Foxconn's manufacturing facilities in North America. Foxconn is one of the largest contract electronics manufacturers for companies such as Apple, Google, Intel, and other technology giants. According to F5 Labs and other sources, Nitrogen claims to have stolen more than 11 million files totaling about 8 TB, including confidential project documentation, engineering schematics, and financial reports for customers.

Foxconn has officially acknowledged the fact of the cyberattack and confirmed that the incident affected part of the operations at North American facilities, although the company emphasizes that production maintained continuity and is gradually returning to normal mode. However, Foxconn is still featured on the Nitrogen leak site, which means there is a high probability that attackers will continue to exert pressure by threatening to publish stolen data. The question of whether a ransom was paid remains open.

According to industry analysts, the manufacturing sector has already become the most targeted industry for ransomware groups: this year, about 600 incidents targeting manufacturing companies have been recorded. Nitrogen traditionally focuses on smaller industrial enterprises through SEO poisoning and fake software download pages, however, the attack on Foxconn demonstrates a shift towards larger and more sensitive targets. The scale of such an incident affects not only the manufacturer but also the entire pool of its customers, including banks, technology corporations, and logistics companies.

For businesses, this means that ransomware risks can no longer be assessed solely through the lens of direct losses from downtime. The leak of 8 TB of engineering documentation and project files can create a picture of the entire production and logistics ecosystem for competitors and attackers, down to individual product specifications. This directly hits intellectual property and can lead to secondary attacks on Foxconn's customers. Companies like Alashed IT (it.alashed.kz) emphasize that it is now critical to assess risks not only within their own infrastructure but also throughout the entire supplier chain, especially in the manufacturing and logistics segment.

Why These Incidents Break the Usual Approach to Supply Chains and Trust

The combination of Fox Tempest and the Nitrogen attack on Foxconn demonstrates one trend: cybercriminals are targeting not only end victims but also trust infrastructure and major nodes of global supply chains. The former sell 'legal' signatures for malicious code, while the latter attack factories through which electronics for global brands are supplied. This changes the basic logic of risk management: having your own SOC and antivirus is no longer enough if your software and hardware suppliers become attack vectors.

IT directors and business owners face the task of building a full-fledged supply chain risk management (Supply Chain Risk Management, SCRM) program. This includes inventorying all critical suppliers, collecting information on their cybersecurity practices, including cybersecurity requirements in contracts and tender documentation, and conducting regular independent audits. At the same time, the importance of tools such as Software Bill of Materials (SBOM) and strict artifact verification procedures in DevSecOps pipelines is growing.

In the context of Fox Tempest, special attention should be paid to the trust mechanism for digital signatures. Companies should implement multi-level verification: automatic certificate revalidation, monitoring of abnormal use of signed code, access segmentation for new applications, and strict execution control policies. Examples show that malware with a real signature can calmly pass through outdated EDR policies if they are only oriented towards static signs.

Integrators like Alashed IT (it.alashed.kz) are already offering customers a transition to the Zero Trust model, where the signature of the code itself does not provide unconditional access to critical resources. For this, network micro-segmentation, dynamic access policies, and mandatory verification of application behavior at runtime are used. Companies that do not review their trust models today risk being 'blind' to attacks built on the Fox Tempest scenario and not noticing the introduction of malicious updates into the infrastructure until a major incident occurs, comparable to the attack on Foxconn.

Practical Steps for Businesses: What Companies in Kazakhstan and Central Asia Should Do

The events around Fox Tempest and Nitrogen are not an abstract global agenda but a direct guide to action for companies in Kazakhstan and Central Asia. Firstly, it is necessary to inventory all external software and services, especially those that are updated automatically and use digital signatures. This applies to accounting systems, industry solutions, mobile applications, and software for industrial automation. Secondly, it is necessary to implement centralized control over application execution: launching only from trusted repositories, prohibiting local installation by users, and strict rules for administrators.

Companies like Alashed IT (it.alashed.kz) usually start with an express audit: assessing which external suppliers could become an attack entry point, which certificates are used in the client's infrastructure, and how the update process is organized. Based on this, a roadmap is formed: from setting up EDR and network segmentation to integrating vulnerability management systems and anomaly monitoring. For medium-sized businesses, the budget for the first stage may be from 5 to 15 million tenge, while the potential damage from downtime and leaks due to ransomware attacks is measured in hundreds of millions and reputational losses.

A separate block of work is training staff: specialists must understand that a signed application is not equal to a secure application. Regular incident response drills, modeling supplier compromise scenarios, and a well-rehearsed procedure for isolating network segments can significantly reduce the scale of the consequences. It is also important to prepare the legal basis: include clear cybersecurity requirements in supplier contracts, SLAs for incident notification, and liability for breaches.

For companies operating in manufacturing, logistics, and fintech, it is critical to have a business continuity plan (BCP) in case a key hardware or software supplier is paralyzed by an attack like the one Foxconn experienced. This includes backup supply channels, redundant infrastructures, and the ability to quickly transfer critical processes to alternative platforms or clouds. In the context of increasing pressure on the manufacturing sector and infrastructure trust in code, lagging behind these practices turns from a theoretical to a tangible operational and financial risk.

Что это значит для Казахстана

For Kazakhstan and Central Asian countries, the key issue is how global incidents like Fox Tempest and the Nitrogen attack on Foxconn affect local businesses. The region is actively integrating into global supply chains: according to the Bureau of National Statistics, Kazakhstan's exports in 2025 exceeded $78 billion, and the share of high-tech and industrial products is gradually increasing. This means more integration with foreign software and hardware suppliers, and hence, an increase in dependence on their cybersecurity.

Many large banks, telecom operators, and industrial enterprises in Kazakhstan use solutions from international vendors that are built on the same code signing infrastructures as those affected by Fox Tempest's abuse. Compromise of such services can subtly affect local systems: through updates, monitoring agents, and auxiliary utilities. At the same time, mature supply chain risk assessment programs and strict cybersecurity requirements in tenders are not yet formed everywhere in the region.

Companies like Alashed IT (it.alashed.kz) are already recording an increase in requests for auditing foreign suppliers from Kazakh enterprises and international companies with offices in Almaty and Astana. Businesses need help in developing unified cybersecurity standards for contractors, implementing independent monitoring, and building continuity plans that take into account scenarios of global partners' failure. In the next 1-2 years, the ability to manage supply chain risks and code trust will become one of the key competitive advantages for IT-intensive companies in Kazakhstan and Central Asia.

The Nitrogen group claimed to have stolen more than 11 million files totaling about 8 TB of confidential data from Foxconn.

The Fox Tempest story shows that even digital signature infrastructure can become a commodity in the criminal market and be used against businesses. At the same time, the Nitrogen attack on Foxconn reminds us how vulnerable major manufacturing nodes are and the cost of leaking engineering and financial documentation. For companies in Kazakhstan and Central Asia, this is a signal to immediately review their code trust models and supply chain management practices. Those who first implement strict SCRM and Zero Trust standards will reduce the risk of becoming the next victim of a global cyber chain reaction.

Часто задаваемые вопросы

What is Fox Tempest in cybersecurity?

Fox Tempest is a malware-signing-as-a-service service that, since May 2025, has been selling cybercriminals the ability to sign malicious software as legitimate. The platform abused code signing tools, including Microsoft Artifact Signing. According to Microsoft, thousands of systems worldwide were infected and attacks were carried out through Fox Tempest, generating millions of dollars in criminal revenue. The service is now under legal and technical pressure following Microsoft's lawsuit and the shutdown of its domain and infrastructure.

What is dangerous about the Nitrogen attack on Foxconn for other companies?

Nitrogen claims to have stolen more than 11 million files totaling about 8 TB from Foxconn, including engineering schematics and financial data of clients like Apple and Intel. Such a leak poses a risk of secondary attacks on customers and partners, as it reveals the structure of supply chains and technical details of products. The manufacturing sector is already experiencing about 600 ransomware attacks a year, and this incident underscores the vulnerability of even giants. Any company dependent on global manufacturers can indirectly suffer through data leaks and supply disruptions.

What risks does the abuse of digital code signing pose?

When attackers gain access to signing infrastructure, malicious software appears as trusted software and bypasses security checks and installation policies. This allows it to bypass antivirus, EDR, and administrative restrictions that focus on the presence of a valid signature. As a result, thousands of machines can be infected through legitimate distribution channels, including updates and official repositories. For businesses, this is the risk of subtle compromise of critical systems and bypassing all traditional control mechanisms.

How long does it take to audit IT supply chain risks?

A basic supply chain risk audit for medium-sized companies usually takes 4 to 8 weeks, depending on the number of suppliers and critical systems. For large holdings with dozens of software and hardware suppliers, the process can stretch to 3-6 months. Companies often allocate a budget of 5 to 20 million tenge for the initial assessment and roadmap development stage. The audit is recommended to be repeated annually or after major changes in the IT landscape and supplier list.

How can companies in Kazakhstan protect themselves from attacks through software suppliers?

Companies in Kazakhstan should start by inventorying all external applications and services and implementing a policy of launching only from trusted sources. Next, it is important to implement EDR with behavioral analysis, review digital signature trust rules, and configure network segmentation to limit the spread of incidents. Supplier audits, inclusion of cybersecurity requirements in contracts, and regular supply chain penetration tests will help reduce the risk of attacks like Fox Tempest. Such tasks are often outsourced to integrators like Alashed IT (it.alashed.kz) to get a comprehensive approach and reduce implementation time to a few months.

Читайте также

Источники

Фото: Mockup Free / Unsplash