What is a supply chain attack?The SolarWinds hack is an example of a supply chain attack where a hacker penetrates a target organization via a trusted third party. In this case, the Russian SVR foreign intelligence agency leveraged the trusted vendor/customer relationship between SolarWinds and a range of government agencies and corporations to penetrate those organizations. It did this by inserting malware into a SolarWinds product update. Once the customers installed the trojan horse, the SVR had a foothold in their networks. Trust is what makes a supply chain attack successful. The target organizations did not inspect the SolarWinds software with the diligence they would apply to other external software programs because it trusted the source. In fact, the product update was digitally signed by SolarWinds to indicate it hadn’t been tampered with. It isn’t clear exactly how the SVR gained access to the SolarWinds software development environment and managed to inject its malware into a product update. Based on reporting, it may have exploited vulnerabilities in Microsoft Office 365 and the Azure cloud service to access the SolarWinds network at least six months prior to distribution of the update. Clearly, the SVR hacking team, known as Cozy Bear, is an advanced persistent threat group with the discipline and resources to orchestrate sophisticated attacks without detection.
SolarWinds attack wreaks havoc on over 100 organizationsSolarWinds software is widely used by Fortune-ranked companies, governments and nonprofits to monitor and manage their networks. It was an ideal vehicle for the SVR to access those organizations. It gave the SVR the potential to exploit up to 18,000 organizations around the globe. However, forensic analysis indicates the SVR chose to enter only about 100 high value U.S. targets, including: U.S. Government: Departments of Commerce, Justice, Defense, Homeland Security, Energy, State, Treasury, plus NIH Technology Companies: Microsoft, Intel, Cisco, Nvidia, VMware, NCR, SAP, Belkin, Checkpoint and FireEye Telecommunications: Cox Communications, Comcast, AT&T Consulting Firms: Deloitte The SVR’s objectives were espionage. Reports indicate it was able to read email sent and received by the target organizations. FireEye reported the hackers copied the company’s “red team” tools for probing cyber defenses. The full extent of the exploits has not been disclosed and it’s impossible to measure the damage done by the attack. Target organizations typically install SolarWinds software in the core of their networks, which is ideal for an attacker. From this foothold, it exfiltrated files and moved laterally into other systems. Cozy Bear moved slowly and methodically within its targets, taking care not to trigger any alarms.
Supply chain attacks can be orchestrated by less capable hackers than a nation-state and may target any type of organization. The simplest type of supply chain attack is perpetrated by stealing login credentials from a third party that has access to the target organization. Stolen or misused credentials were associated with 38% of attacks in 2020. This is the vector used against the Target department store chain in 2013, when point of sale systems were breached using login credentials stolen from an HVAC contractor. SMBs can be attractive for ransomware, fraud, theft of intellectual property, or as an avenue toward a larger downstream organization in a cascading supply chain. Hackers can realize a high ROI against SMBs when the cost to carry out a supply chain attack is relatively low. Certainly, stolen credentials provide hackers a very low-cost attack vector. Trust is the common attribute in the stolen credentials and trojan malware attack vectors. The target organization lowers its defenses for third parties that it trusts, and this presents the opening a hacker needs to carry out its crime.