So What Exactly is a Supply Chain Attack?

Imagine that you get an email from one of your friends? Imagine that you were both at the same party and that he had some pictures he wanted to share with you. He’s done this sort of thing before. His email address checks out so, no problem, right? You open the photos and they are real. You write back and thank him for the photos. He writes back and asks you what photos you are talking about. That’s when you know something’s wrong. You suspect that someone may have gotten into his email account and sent you a message. They may have gotten access to photos he sent to someone else or maybe they got access to his computer and found them. Still, nothing seems to have happened to your smartphone or computer. All seems normal. Eventually, you forget about it and go back to your normal cyber life.

But, in fact, you really have been hacked. Someone may be remotely accessing your computer and looking through your files. They may be capturing your passwords and banking information but your antivirus detects nothing unusual. When they have finished getting what they wanted from you, they may leave and erase all evidence that they were ever there. You go about living your life none the wiser until someday you get a message from a friend thanking you for the pictures you never sent.

In a simple way, this is how a supply chain attack works. Your firm, organization, or company may have all the best cybersecurity tools at its disposal. Fine. But do the clients and suppliers that you routinely communicate with have the same level of protection? If not, then a good hacker could find a weak spot in their defenses and use it to begin a supply chain attack targeting your company . All it takes is one device that lacks sufficient protection. One vulnerable device connected to their network and the whole network is exposed. That’s when the trouble begins. The hackers, if they are good enough, move through the network and gather information on connections to bigger enterprises, bigger networks, and, armed with this information, they begin to design their next attack.

This attack on a higher network usually begins with a spearphishing attack on a specific employee. Usually, an employee with administrative rights is chosen. If successful, the targeted employee will open an attachment which will release malware onto the targeted network. The malware will lie low and may not even begin its operations for some time so that the email is not connected to the future attack. The installed malware will do some reconnaissance on the network to discover what vulnerabilities the attackers may be able to exploit. Often, they look for unpatched/un-updated software. But, whatever it finds, it sends back to the hackers.

The goal of larger hacking groups, often connected to nation states, is rarely the small companies that they attack. Small companies are merely a means to an end. In fact, the smaller the company, the better. From this seemingly innocent platform, they can work their way up the supply chain until they get to the real target; a target that would be inaccessible through normal hacking means.

It seems clear from the above that networks need to be comprehensibly managed in such a way that intrusions exploiting weak endpoints and other attack vectors are thwarted. It’s a big job as attackers keep developing new ways to work their way into networks using whatever the latest bug that has been discovered. This is why such cybersecurity firms have such frequent updates.

There are a number of companies who provide such network management services and one of the biggest of these is a firm called, SolarWinds. The SolarWinds’ network management product is called, Orion. It is deployed by numerous firms as well as key federal government agencies. So, if my real target was a major government agency, which I knew was too well-protected by the Orion platform to hack into directly, I would try to work my way upstream to see if, maybe, any suppliers of components to the Orion platform could be compromised. I may have to go a long way upstream. I may have to target firms that make components for components until I find an entrance into the supply chain. When Target was hacked through a supply chain attack, the criminals had to use a connection to Fazio Mechanical Service, a company that took care of Target’s heating and air conditioning systems.

The result of the intrusion was that the credit card information of 40 million customers was stolen. Target spent $61 million cleaning up after the attack and are still fighting over 90 lawsuits.

It is reported that SolarWinds’ Orion update server used the password, solarwinds123. Thus, it certainly wouldn’t take much skill to breach the network. Others have found account usernames and passwords dumped online, some of which allowed for administrative rights. Although I have seen these credentials, I can’t verify their viability. But that really doesn’t matter. Orion was breached and the attackers managed to write code into the update that delivered backdoor malware to SolarWinds’ unsuspecting customers. After all, if you can’t trust the company responsible for your cybersecurity, who can you trust?

Those enterprises using the Orion platform would only see that an update was available. It happens all the time. Some may have even opted for automatic updates. Clearly, installing the updates led to installing malware. This was spying malware. This conclusion was reached by seeing the type of data that was sent back to the attackers’ servers. However, the specifics of what has been lost during these widespread attacks on government agencies and private companies has yet to be divulged. In fact, it may take a long time to assess just what data was compromised.

At one time, SolarWinds bragged about its extensive customer base. However, after they were hacked, they almost instantly removed this page from their website, but here is part of it.

This list serves as a sobering indication of the alarming potential extent of this hack. It must be assumed that the data from all of these customers were compromised. Just how badly they were compromised remains to be seen. Among the private firms potentially victimized were Microsoft, Visa, Yahoo, Federal Express, The Gates Foundation, Lockheed Martin, MasterCard, Gartner, Ford Motors, The New York Times, CBS, The Kennedy Space Center, The US Postal Service, The US Secret Service, The US Department of Defense, San Francisco International Airport, The City of Tampa, and the City of Nashville. This is to say, there’s a lot of potential trouble in the offing.

The exposure of large enterprise networks to internet communications has largely been mitigated. Yet, this exposure does not end with the local network. Customers and suppliers who leave themselves exposed to internet traffic are actually putting the larger enterprises they work with in danger of a supply chain attack. Thus, after this attack, there has been an increased interest in better ways to protect vulnerable endpoints on these supply chain networks. Certainly, new, more unique forms of protection need to be investigated. Though many endpoint protection programs exist, most are not particularly innovative. There are exceptions, however. For example, the company I’m associated with, InZero Systems, offers patented technology that can, in effect, make one device, one potential endpoint, into two devices. They can, for example, make one phone into two phones by using technology that initiates separation at the hardware level. The separation allows a user to do whatever they want on one side of their phone while protecting the network on the other, secure side of the phone. A hardware barrier is established that protects the network from direct internet exposure. Such technologies need to be considered because supply chain attacks need to be stopped at their entry points.

The SolarWinds attack has yet to play out in its entirety. It is possible the agencies and firms listed above will themselves be used to penetrate even further into the government and private sector. This could get real messy. Although initial attribution has been  assigned to Russia, it worries me that such a well-designed attack would leave such obvious links to its sources. But to those who are left with recovering from these attacks, I suppose attribution is a minor point.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s