SolarWinds: What are Supply-Chain Attacks?
But what exactly are supply-chain attacks, and how can they be prevented?
Here’s what you need to know.
What is a supply-chain attack?
An organization’s supply network usually is composed of several third parties, including manufacturers, suppliers, handlers, shippers and customers, to name a few. In a supply-chain attack, threat actors often seek a vulnerability within the intended target or aimed towards an associated third party if they can’t penetrate the organization they want.
In other words, if hackers can’t get into one organization, they’ll often target one of the entities in its supply chain network. Subsequently, they exploit that organization’s vulnerabilities to reach their end goal.
If they succeed, the attack can compromise goods, services or technology. It can also result in the theft of sensitive information, exposure of proprietary or secret documents and unauthorized access to additional systems. Essentially, threat actors seek the weak link in the supply chain where they can escape detection. They may find vulnerabilities in:
- Unsecured network protocols
- Unprotected server infrastructures
- Unsafe coding practices
Once these, or other, vulnerabilities are identified, hackers design their attack to infiltrate and disrupt. If successful, hackers introduce a threat where the number of victims can be in the tens of thousands or more, depending on how many organizations are connected to the party that was breached.
The scary part about a supply chain attack is it significantly widens the number of victims under the guise of legitimacy. Once accessed is gained, everyone connected becomes at risk.
How do supply-chain attacks work?
Supply-chain attacks come in many shapes and forms, and risks can vary depending on how the attacker has positioned their hack or the type of malware they’ve inserted.
Threat actors use a variety of illicit approaches to exploit their target(s). They may break into a system, hide malware, add tracking software or change source codes, to name a few approaches. As examples, hackers may:
- Compromise a supplier’s email account and distribute malware, and design the email to appear as coming from a legitimate source.
- Steal a vendor’s credentials and use it to break into a system and gain access to internal areas only authorized persons are permitted into.
- Contaminate open-source software, which is widely used by many, ensuring it gets distributed without developer knowledge.
- Insert themselves into an app that is widely used by millions by altering code or using code-sign certificates stolen from the development company.
- Compromise proprietary software building tools or updated infrastructure.
- Insert themselves into specialized code used in hardware or firmware.
- Exploit pre-installed software by adding malware to devices, such as USBs, phones and cameras.
The SolarWinds hack was a prime example
A good example of a supply-chain attack is the recent and highly-publicized SolarWinds hack. This attack was the result of hackers targeting the company’s flagship software, Orion, and inserting malware code into its routine software updates.
The problem is that malware is disguised as an authentic piece of software or download and is placed in such a way that it gets distributed as such. This attack gives no warning or even any signals threats exist. As a result, the original organization is penetrated and, once that occurs, hackers can infiltrate any customers or users connected to the target. Tech companies and IT providers are common targets by threat actors because of the nature of software, patches and update distribution. If successful, hackers can have a long reach of victims.
Why are supply-chain attacks so dangerous?
One of the significant worries about supply-chain attacks is victims have absolutely no clue and often don’t even see any warning signs that something is amiss. The problem is due to the nature of these attacks—the software is built and released by trusted entities or credentials are authorized.
Many of the protective measures put into place against infiltration are bypassed because the vendor is trusted, so any malicious code or other illicit entry opportunities they send is signed and certified, granting full permissions. As a result, the hack won’t be flagged as a problem. Victims won’t know for months, or longer, that they’ve been breached.
If the targeted organization has hundreds of thousands or even a million users (such as in the case of popular apps), the hacker’s reach has the potential to be enormous. We shouldn’t exclude the fact that many organizations aren’t prepared to respond to these, and many other types, of cybersecurity attacks. Analysts suggest the fallout from the SolarWinds attack is massive. Aside from the fact it affected up to 18,000 organizations, including several U.S. federal agencies, the breach could cost companies billions of dollars.
At this time, cyber insurance vendors are expected to spend $90 million to those insured. But it’s more than the monetary losses that these organizations are worried about. In the case of U.S. federal departments, it’s a significant security risk to the entire nation. For private companies, proprietary information could be lost, which could be devastating to those businesses. Anyone using technology can also be at risk, since even cybersecurity vendors have been successfully breached by supply chain attacks, impacting their clients. Essentially, any organization or individual that relies upon a third-party provider is at risk if that party is compromised. Even tech giants like Microsoft were affected by the SolarWinds hack.
Other notable supply-chain attacks
SolarWinds gained a lot of press since the news broke in December 2020. However, supply-chain attacks are not new. Over the years, there have been several other notable supply-chain attacks.
- Target. Probably one of the most publicized supply-chain attacks, Target was victimized in 2013. In the attack, hackers compromised an HVAC vendor’s credentials and used it to access Target’s systems. As a result, the personally identifiable information of 70 million consumers was exposed. Part of the problem was the questionable security practices on the vendor’s part, but also Target neglected to segregate its internal systems to restrict entry into certain areas of business.
- RSA Security. In 2011, RSA Security was compromised through a phishing email sent to employees. As a result, malware was released, which was able to swipe credentials from anyone who downloaded the Trojan. Later on, Lockheed Martin, a major U.S. defense contractor and one of RSA Security’s customers, was also hacked as a result of the original attack.
- Stuxnet Worm. This was big news in 2010 when it emerged that Iran’s nuclear facilities were affected. Believed to be a cyber-weapon, this supply-chain attack highlighted the weaknesses associated with utility and energy infrastructure.
In March 2020, it was reported that almost 300 supply chain cybersecurity incidents had occurred in 2019. The most crippling attacks involved ransomware. As supply chains become more digitized, there is an increased risk for all organizations. It’s important to be aware, develop safe practices and take as many precautions as possible.
How to defend yourself against supply-chain attacks
As technology became a routine part of business, many organizations approached their cybersecurity strategies reactively. This doesn’t cut it anymore. To maintain the integrity of their technologies, companies need to be proactive. Being proactive doesn’t completely eliminate the risks, but it can go a long way toward reducing the number of events occurring and mitigate the reach of any attack.
Steps you can take to defend yourself against supply chain attacks include:
- Beefing up access controls. Limit authorized access to an “as needed” basis—there is no reason for employees or vendors to have access to areas of IT systems they don’t specifically need to gain entry to.
- Enforce multi-factor authentication. The stronger authentication is, the less likely bad actors will be able to use legitimate credentials illicitly.
- Strengthen software development environments. Ensure any development environments are secured, require multi-factor authentications, check to see software releases match the source code, configure it so only allowed apps are authorized to run and always apply OS and software security patches.
- Perform penetration testing. Let the good guys test your systems through ethical and simulated attacks to see where, if any, vulnerabilities exist.
- Develop an incident response plan. Be prepared to disclose any incidents and formulate a way to notify customers and partners with timely and transparent information.
- Practice transparency. Give transparency to your vendors and customers, but also expect the same in return. Ask vendors to supply all the code components used; this way, it’s easier to identify any potential vulnerabilities and get them sealed off.
- Perform ongoing monitoring internally and externally. Especially monitor remote access given to vendors, be sure you use multi-factor authentication and be careful about which privileges you grant (to avoid a Target-like scenario).
- Back up data. Maintain routine backup schedules to ensure that any compromised data can be recovered after an attack. A solid data backup system is especially crucial in situations where widespread file changes have occurred, as in a ransomware attack.
Unfortunately, supply chain attacks use highly sophisticated measures and are difficult to detect. However, conducting routine supply chain risk assessments and working to proactively identify known vulnerabilities can help significantly reduce threats.
Take charge of your cybersecurity
Threat actors don’t just attack large corporations, they actively target small and medium-sized businesses (SMBs) to conduct supply chain attacks, along with other types of exploits. They assume SMBs don’t have the resources to adequately protect themselves. And statistics show their assumption is correct. Taking proactive steps goes a long way in identifying vulnerabilities and falling victim to cyberattacks, which can cause significant disruption and damage your brand’s good name.
Learn more about protecting your organization from cyberattacks and rapidly recovering systems with BC/DR solutions from Datto. Request a free demo or speak to our business continuity experts at Invenio IT today. Call (646) 395-1170 or email success@invenioIT.com.