What are supply chain attacks?
Supply chain attacks to damage victim organizations by targeting less secure elements in their supply chain; for example, by injecting a trojan horse in a software or hardware component that is produced by one of their suppliers.
Once within the target organizations’ network, the trojan often pivots, spreading laterally to infect other machines, or stealing sensitive data from information systems by taking advantage of additional vulnerabilities. This lateral spread is made easier by less strict security measures that are frequently employed within internal corporate networks.
The SolarWinds attack is believed to be one of the worst cyber-espionage cases in history. In March 2020, a major cyberattack by a group backed by a foreign government, believed to be Russian, penetrated thousands of organizations including multiple parts of United States federal government, private security companies, the European parliament and NATO, via software released from SolarWinds, leading to data breaches.
This was a supply chain attack, where the attackers accessed the SolarWinds build system and injected malicious trojan, which been then inadvertently distributed by SolarWinds and installed as an update to all users of this software – 18,000 government and private users downloaded the compromised versions.
The breach discovered and made public in December 2020 by the cyber security firm FireEye, which has used Orion and discovered their “red team” tools, tools used for hacking, were stolen.
Once inside the network, the attackers pivoted to use additional vulnerabilities to spread within the organization internal networks.
Microsoft has also been targeted, and the Orion vulnerabilities are known to allow stealing source code from several Microsoft’s source code repositories, although as typical for large suppliers, Microsoft has tried to downplay the significance of the attack. The harsh reality is that they cannot, and nobody would ever know the full impact of this attack.
What can we learn from this attack?
Ask yourself: how has a trojan succeeded to evade detection after being installed in 18,000 sensitive networks, operating without disruption for at least 9 months from March to December 2020?
Enterprise and government organizations need to face a hard truth: they don’t have visibility into the security processes of their IT vendors. At a time when cloud services have become mainstream elements of an IT agenda, it’s jarring to see Microsoft, VMware, and many other cloud vendors having been impacted by this attack.
Let the SolarWinds hack serve as a wake-up call to build high walls around your data:
- Ensure that you generate and own your data encryption keys, and no one – not even your cloud provider – can access or control them. Completely protecting your data from any third party will ensure your data is not exposed n the event of a hack.
- As part of your vendor management program, require your IT suppliers to implement stringent supply chain security, using certifications such as Open Trusted Technology Provider Standard (O-TTPS).
- Above all, you should always assume your internal networks are breached. Do not employ lower security standards to your internal networks. Employ the “Zero Trust” approach: Never Trust, Always Verify.
Thank you for reading and be safe!