In recent articles, we’ve argued that software supply chain attacks are among the most serious cyber threats of our time—and given recommendations for how regulators could help solve the problem.
But how much of a threat do software supply chain attacks really pose to the U.S.?
What is a Software Supply Chain Attack?
To quickly recap—in a software supply chain attack, a hacking group infiltrates a technology vendor’s network to abuse its trusted relationship with customers and partners. The ultimate goal of this type of attack is to gain access to the networks of one or more high-value organizations.
Often, the real target is an organization with high cyber maturity that would be difficult to breach directly. Rather than invest time and resources to infiltrate the target directly, hacking groups instead infiltrate the organization’s suppliers and abuse any legitimate connections they have with the target.
Software Supply Chain Attacks Aren’t New
Supply chain attacks have been around for a long time, but attacks against the software supply chain have arisen mainly over the last decade. Early examples include:
- Lockheed Martin. In 2011, a hacking group infiltrated Lockheed and other U.S. military contractors using legitimate MFA credentials stolen from a major security provider.
- Target. In 2014, another group successfully breached retail giant Target, this time using legitimate credentials stolen from an HVAC supplier.
However, while these two attacks were undoubtedly effective—and a serious concern for the U.S.—they were rudimentary by today’s standards.
2020 saw undoubtedly the most advanced software supply chain attacks uncovered to date. The attack was a sustained, highly advanced operation by a suspected nation-state-sponsored hacking group. It exploited vulnerabilities in Microsoft and VMware products to target a laundry list of high-value targets—including U.S. federal agencies, NATO, the UK government, the European Parliament, and more.
The attack became known as the ‘SolarWinds hack’ because it abused the network and infrastructure management solutions company’s infrastructure. SolarWinds’ Orion platform is used by around 30,000 public and private organizations, including U.S. federal agencies. Having infiltrated the company’s network, the attackers embedded remote access tools into software updates for the Origin Platform, which were then installed by the group’s real targets.
And it’s not just government agencies that are at risk from software supply chain attacks.
Last year, the highly-publicized Kaseya attack began a new trend. Instead of targeting specific, high-value targets, the group responsible for the attack abused Kaseya’s trusted relationship with its customers to distribute ransomware to as many victims as possible.
Simply, by exploiting a simple vulnerability in Kaseya’s VSA product—a platform used by managed service providers for remote access and control of customer networks—the group was able to breach 60 MSPs and 1,500 downstream businesses.
The Common Component: Trust
The key risk factor in software supply chain attacks is trust.
Most organizations inherently trust their software suppliers. They assume adequate precautions have been taken and, in many cases, allow software providers a high level of access to their networks. Even worse, most organizations implicitly trust new software patches and updates from existing vendors—they install them promptly without any additional checks or queries.
So, what happens if a hacking group compromises a software product or update? Often, they can gain direct, privileged access to customers’ networks.
Herein lies the problem.
There’s a reason why organizations take this ‘carefree’ attitude towards software suppliers… and it isn’t because they don’t consider cybersecurity a priority. It is logistically impossible for most organizations to vet the security of every software vendor, product, and patch they use. And, as we’ve seen, a successful attack against just one software vendor could render an organization’s entire cybersecurity program worthless.
Most organizations use dozens—even hundreds— of software products. Undoubtedly, some of those products are highly secure… but others likely aren’t. In practice, many software components are widely used by large organizations despite being poorly secured—because there are no viable alternatives.
Why is This So Dangerous for the U.S.?
Further software supply chain attacks against critical U.S. targets are a certainty. As a nation, we have a long list of political, economic, and (sometimes) military adversaries that would benefit from disrupting our infrastructure or stealing state or industry secrets.
It is highly likely that some adversaries have already compromised U.S.-based technology vendors and are simply waiting for a chance to carry out attacks against one or more high-value targets. The consequences of such an attack could include:
- Severe disruption to government, public services, or critical infrastructure.
- Theft of classified government or industry data.
- Theft of U.S. citizens’ personally identifiable information (PII).
- Theft of secrets that allow political, economic, or military rivals to gain an advantage over the U.S.
Protecting the U.S. From Software Supply Chain Attacks
Our new white paper, ‘Protecting the U.S. From Supply Chain Attacks,’ explains why technology vendors are frequently the weak link that allows criminal and state-sponsored hacking groups to access sensitive data and systems, conduct espionage, and disrupt operations. To protect against the dangers of supply chain attacks, technology vendors must have a legal obligation to uphold a minimum standard of SCRM.
Download the report to learn:
- Why President Biden’s Executive Order and new publications from NIST and CISA aren’t enough to protect the U.S. from supply chain attacks.
- What consequences a supply chain attack could have on federal agencies, state governments, and even private organizations.
- The risk posed by unregulated technology vendors and why it’s unrealistic to expect buyers to shoulder the burden of vetting every supplier’s SCRM capabilities.
- Our proposed approach to address supply chain risk in the U.S. and how regulators could structure a legal framework for SCRM.
Download your free copy today.
May 3, 2022