Supply chain attack: is it worse than ransomware?

Ransomware, which for several years has been the curse of many IT administrators, has recently been somewhat overshadowed by attacks on supply chains. This was caused by the SolarWinds affair, the most serious hacking attack of 2020 and probably the largest of the decade.

What is software supply chain attack?

In December 2020, information surfaced about a mass hacking attack targeting American government agencies, and consulting, technology and telecommunications firms in North America, Europe, Asia and the Middle East. Those involved in the IT industry probably heard for the first time about the concept of ‘supply chain attacks’. So what does it mean in practice?

The easiest way to explain it is to use the cyber-attack of the decade as an example. Everything started when hackers exploited the update server belonging to SolarWinds, which is one of the biggest providers of IT infrastructure management software. After that everything fell apart like a house of cards.

  • SolarWinds creates a new software called Orion, which is highly popular among government agencies and firms on the Fortune 500 list. Just like other software providers, the company regularly sends updates to its clients.
  • Hackers attack SolarWinds and place their own malicious software in the updates distributed by the firm between March and June 2020.
  • Around 18 000 clients download the update, which acts like a Trojan horse and just waits for instructions from the hackers.
  • Some clients receive the instructions, and the computer from SolarWinds downloads more code, enabling the hackers to break into the network and steal data. The attackers use this to gain access to the email system, download software and carry out reconnaissance of the network.

As the above example shows, this type of attack is very convenient for the hackers as they don’t have to focus directly on their victims, but gain access to them indirectly, via other platforms used by the organizations. This criminal activity can take on a whole variety of forms. For example, firmware installed on a router gets infected with malicious code and becomes a serious threat to its users.

In April, media outlets worldwide described the interesting case of the Gigaset telephone, which runs on the Android operating system. Unsuspecting users of the device downloaded a software update from the manufacturer complete with…. a trojan. A backdoor opened the browser window, downloaded other malicious applications and sent text messages in order to spread the malware further. Gigaset officially confirmed that its update server had delivered infected software to clients. Nathan Collier from Malwarebytes speculated in one of his posts that the fraudsters had managed to break in to the Gigaset update server in order to distribute trojans. Ultimately, this was confirmed in a report by the company Heise.

The wave of attacks on supply chains is growing

The history of attacks on supply chains did not begin with SolarWinds. Cybercriminal organizations had already used the same method to hack into networks used by governments and international organizations. However, what should concern those responsible for IT security in particular is the growing wave of incidents. In the fourth quarter of 2020 alone, ESET researchers discovered as many attacks on supply chains as had been observed annually in previous years. But it’s not only the numbers that worry security specialists, it is also the amount of damage caused by the hackers that is becoming a serious problem. By compromising the security of just one provider or one element of a product, the attacker can obtain unlimited access to broad areas and a significant database of clients. What’s more, attacks on supply chains can lead to many degrees of separation. That’s why security specialists can no longer assume they are safe merely because they do not have a contract with a compromised firm.

One significant challenge is detecting incidents, of which SolarWinds is a notable example. The breach was discovered in late 2020, but all the indications are that the first attacks could have taken place in 2019. J. Michael Daniel, CEO of the Cyber Threat Alliance, and former cyber security coordinator in the White House under the Obama administration, is of the opinion that the SolarWinds affair is extremely broad in scope and could potentially be highly damaging to the country’s economic security. Meanwhile, determining the full extent of the incident and the amount of damage it caused will take a long time, and repairing the fallout will cost vast sums of money.

Attacks on supply chains: how to defend yourself against them?

The increasing pace of digitization and automation are making our daily lives and work ever easier. But of course, there is always the opposite effect to consider. Firms that decide to undertake a transformation to digitization mustn’t forget about security procedures. With the growing involvement of robots and advanced software in production processes, any malicious interference can lead to tragic consequences. A cyber-attack could cause critical infrastructure such as power stations, production facilities, filtering plants and water sources to stop working, which would have a direct effect on the daily lives of hundreds of thousands of people.

In the face of growing attacks on supply chains, firms should have detailed access to information on all their suppliers and the components they supply. It is also worth developing an internal security policy based on principles such as:

  • regular penetration tests,
  • two factor authentication,
  • security software that guarantees multi-layer protection.

Managers should also understand that legally binding contracts that define who is at fault or make the supplier bear responsibility are not enough to save the firm’s reputation. Looking at the problem more broadly, along with data leakage, we also expect paralysis of the company’s operations. Losing access to data, services, and applications is another financial loss for the company. Fortunately, in the latter case, data backup can ensure the company’s business continuity in the event of a disaster. In many cases, it also enables the recovery of resources before the virus infiltrated the data. We wrote about it in our article Ransomware meets Backup – Cyber Attack Detection System.

In the eyes of consumers and public opinion, responsibility always lies with the firm from which users buy a product or service. Experts draw attention to an interesting aspect related to the role of the human factor in preventing attacks. Keen to move with the times, firms are more and more often using artificial intelligence mechanisms to scan software code. However, this approach has certain limitations as AI is not always able to detect something that is as yet unknown. In the SolarWinds example quoted several times above, code was injected in which the sequence code looked as if it was legitimate. Only manual verification would have been able to test the effect of the code on other computers and where the updates originated. If an employee had discovered the anomaly, suitable action could have been taken rapidly. As a result, a hybrid approach should be used, in which automated security tests are accompanied by penetration tests controlled by an employee (pen tests), which together are able to detect the hole and limit the damage to a minimum.

All the indications are that in the coming few years it is not only ransomware that will give IT administrators sleepless nights, but also attacks on supply chains. What is fascinating is that both types of attack are causing havoc in organizations that have advanced knowledge about security and budget resources. This can only be a bad omen for the future. Find out more about how you can protect your business data against ransomware.

Small and medium-sized businesses should also not feel safe, as they have also become a target for well-equipped and highly skilled hackers. And while large corporations can count on support from security specialists, in the case of SMEs it is becoming an increasing problem. The outlook for a better tomorrow is also not so bright. According to Infosecurity, 3 million more cybersecurity experts are needed immediately, while next year this number will increase by a further 1.8 million.

Paweł Mączka Photo

text written by:

Pawel Maczka, CTO at Storware