Software supply chain attacks can be devastating.
The formula is simple. A bad actor compromises a technology vendor’s infrastructure and abuses its privileged relationship with customers to access one or more target networks.
Once inside, the actor gradually expands its presence and capabilities by moving through the network and installing malicious software.
But what could the consequences be?
Two (of Many) High-Profile Software Supply Chain Attacks
The consequences of a software supply chain attack depend on the bad actor’s motive, resources, and skill. Common motives include extortion, data theft, espionage, and sabotage.
For private organizations, the cost of investigating, resolving, and recovering from software supply chain attacks can be crippling. However, the real consequences of software supply chain attacks can be far more dangerous.
High-profile examples of these dangers include:
Lockheed Martin—in 2011, three U.S. military contractors (including Lockheed) were infiltrated using multi-factor authentication codes stolen from network security vendor RSA. Lockheed Martin is among the most prominent U.S. defense contractors—its contracts include the development of a plethora of military hardware and vehicles, including the F-35 Lightning aircraft and PAC-3 missile.
While officially nothing was compromised, an attack like this poses a clear threat to national security.
U.S. Government et al.—in 2020, a supply chain attack by an alleged Russian state-sponsored group compromised at least 12 U.S. Federal Agencies, NATO, European Parliament, UK Government, and several global technology companies.
The attack exploited software and credentials from Microsoft, VMware, and SolarWinds. It led to the theft of so much data that, if printed out, it might total the size of “several Washington Monuments.” Commentators suggested the stolen data could increase the attacker’s influence for years and even inform hard attacks against targets like the CIA or NSA.
The attack on SolarWinds was an inflection point. For years there have been theories about sophisticated groups that could bring resources to bear over months or years to compromise a target. We now know these groups exist, and they aren’t just targeting government agencies. Tim Brown, VP of Security Architecture and CISO at SolarWinds, explains why these attacks pose such a substantial risk:
“It’s not that we couldn’t have done better. We could have. But we didn’t have any major weaknesses. Our security hygiene and visibility were good. Our tooling and vulnerability detections were good. But in the face of a patient, dedicated, skilled adversary, they weren’t good enough.”
There are fears that similar supply chain attacks could be employed against critical infrastructure providers. While not a supply chain attack, the Colonial Pipeline hack demonstrated the impact a cyber attack can have on critical infrastructure, prompting President Biden to sign Executive Order 14028.
What Damage Could a Software Supply Chain Attack Cause the U.S.?
The examples above highlight some of the dangers of software supply chain attacks, but they don’t fully demonstrate the potential consequences.
Further successful supply chain attacks against targets in the U.S. are all but guaranteed. The U.S. has many political and economic adversaries with a clear vested interest in carrying out attacks to disrupt infrastructure, stealing state secrets, and conducting industrial espionage. These adversaries are continually probing U.S. organizations, searching for weaknesses that may allow them access to their real targets.
In all probability, some of these adversaries already have a foothold within the environments of key supply chain targets, waiting for an opportunity to infiltrate high-value targets. The consequences of one of these attacks will likely include:
- Severe disruption to federal agencies, public services, and/or critical infrastructure.
- Loss, theft, or interference of classified government data by criminals or nation-states.
- Theft of U.S. citizens’ personally identifiable information (PII).
- Theft of data or digital assets that could allow rival nations to gain an advantage over the U.S. in trade, intelligence, or military action.
Of course, the consequences of a supply chain attack aren’t limited to branches of the U.S. government or critical infrastructure providers. Advanced threat groups have (and will continue to) infiltrate other targets of interest in the private sector, including universities, pharmaceutical providers, hospitals, technology vendors, and more. Common motives include espionage, sabotage, and profit.
Protecting the U.S. From Software Supply Chain Attacks
When securing their software supply chain, the best path for organizations who may not know where to begin is to first start with supply chain integrity.
Securing the Software Supply Chain with System Integrity
Utilizing a system and file integrity monitoring tool can help identify when a supply chain attack is in process. For organizations, having these technical controls in place is a key player in providing insight to identify in real-time when unexpected changes happen.
Our new white paper, ‘Protecting the U.S. From Supply Chain Attacks,’ explains why technology vendors are frequently the weak link that allows criminal and state-sponsored hacking groups to access sensitive data and systems, conduct espionage, and disrupt operations. To protect against the dangers of supply chain attacks, technology vendors must have a legal obligation to uphold a minimum standard of SCRM.
Download the report to learn:
- Why President Biden’s Executive Order and new publications from NIST and CISA aren’t enough to protect the U.S. from supply chain attacks.
- What consequences a supply chain attack could have on federal agencies, state governments, and even private organizations.
- The risk posed by unregulated technology vendors and why it’s unrealistic to expect buyers to shoulder the burden of vetting every supplier’s SCRM capabilities.
- Our proposed approach to address supply chain risk in the U.S. and how regulators could structure a legal framework for SCRM.
March 2, 2022