The Winds of Peril

Software supply chain attacks sets alarm bells ringing worldwide

On December 13, Reuters reported a massive state-sponsored hacking into US government institutions, including the Pentagon, and hundreds of Fortune 500 companies. The attack – allegedly coming from Cozy Bear, the hacking arm of the Russian foreign intelligence service SVR – is in a different level of seriousness on the global cyberthreat scale.

The extremely sophisticated stealth tactics of this attack, known as Software Supply Chain Attack, makes it impossible to detect for months together. This has sent governments and companies across the world scampering around,looking to erect new and more robust cyber defences, which has become an imperative as most enterprises have become digitally transformed in this remote everything economy ushered in by the pandemic.

White House national security adviser Robert O’Brien cut short a multi-country trip to Europe and returned to the US to address the suspected Russian hack of government agencies, signallinga mounting alarm within the Trump administration about a lethal cyber espionage campaign considered potentially one of the most damaging in years.

A global impact

FireEye, a US cybersecurity firm, said it had confirmed infections in North America, Europe, Asia and the Middle East – including in the health care and oil and gas industry – and had been informing affected customers around the world in the past few days. Its customers include federal, state and local governments, as well as top global corporations.

In fact, it was FireEye which first flagged this latest attack. When FireEye discovered that it was hacked this month, the cybersecurity firm’s investigators immediately set about trying to figure out how attackers got past its defences. They quickly found outthat it wasn’t just FireEye that got attacked, and the breach was palpable. Investigators discovered a vulnerability in a product made by one of its software providers, Texas-based SolarWinds Corp. They looked through 50,000 lines to identify the backdoor entry into SolarWinds.

Further investigation revealed that the hack in itself was part of a global campaign by a highly sophisticated attacker that also targeted “government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East,” the company said in a blog.

What is Software Supply Chain Attack?

The term describes a strategy that cybercriminals use to attack companies. Instead of attacking them directly, hackers compromise the third-party software used by those businesses. This is done before the software reaches the companies’ doors, so the hackers do not have to worry about hacking into the companies’ networks and being detected. Once the compromised software arrives, the hackers use it to initiate other types of malicious activities. For example, the NotPetya malware that paralysed corporate networks worldwide in 2017, was initiated by a successful software supply chain attack.

Russia targets government; China steals corporate secrets

According to the US thinktank, Atlantic Council, for Russia these attacks have meant access to foreign critical infrastructure, while for China, they have facilitated a massive and multifaceted espionage effort. Chinese software supply attacks are aimed more at corporate entities; eight attacks had companies and dependent users as their downstream targets. Given that all Chinese attacks resulted (or could have resulted) in data extraction, this data is consistent with continuing US concerns about Chinese intellectual property theft and economic espionage. The 2020 GoldenSpy malware notably targeted a multinational tech vendor servicing Western defence sectors by requiring it to install tax-paying software embedded with sophisticated malware while operating in China.

The Sophistication of Software Supply Chain Attacks

The stealth techniques the hackers employed mean that it could take months to identify all their victims and remove whatever spyware they installed. To carry out the breach, the hackers first broke into the systems of SolarWinds, an American software company. There, they inserted a backdoor into Orion, one of the company’s products, which organisations use to view and manage vast internal networks of computers.

For several weeks beginning in March, any client that updated to the latest version of Orion – digitally signed by SolarWinds, and therefore seemingly legitimate – unwittingly downloaded the compromised software, offering the hackers a way into their systems in the process. SolarWinds has around 300,000 customers around the world, including most of the Fortune 500 companies and many governments. In a new filing with the Securities and Exchange Commission, the firm said “fewer than” 18,000 organizations ever downloaded the compromised update.

Lurking silently, stealthily, sneaking, stealing slowly

According to a recent MIT report,the hackers were extremely clever and strategic. Even once they had gained access through the back door in Orion, known as Sunburst, they moved slowly and deliberately. Instead of infiltrating many systems at once, which could easily have raised suspicions, they focused on a small set of selected targets, as reported by the security firm FireEye.

Sunburst stayed quiet for up to two full weeks before it woke up and began communicating with the hackers, according to the report. The malware disguises its network traffic as the “Orion Improvement Program” and stores data inside legitimate files in order to better blend in. It also searches for security and antivirus tools on the infected machine in order to avoid them.

To further cover their traces, the hackers were careful to use computers and networks to communicate with the back door at a given target only once – the equivalent of using a burner phone for an illicit conversation. They made limited use of malware because it’s relatively easy to spot; instead, once they had initial access through the back door, they tended to opt for the quieter route of using real stolen credentials to gain remote access to a victim’s machines. And the malware they did deploy doesn’t reuse code, which made the espionage harder to catch because security programs hunt for codes that have shown up in previous hacks.

Cyber Security a major challenge

Software supply chain attacks sets alarm bells ringing worldwide

On December 13, Reuters reported a massive state-sponsored hacking into US government institutions, including the Pentagon, and hundreds of Fortune 500 companies. The attack – allegedly coming from Cozy Bear, the hacking arm of the Russian foreign intelligence service SVR – is in a different level of seriousness on the global cyberthreat scale.

The extremely sophisticated stealth tactics of this attack, known as Software Supply Chain Attack, makes it impossible to detect for months together. This has sent governments and companies across the world scampering around,looking to erect new and more robust cyber defences, which has become an imperative as most enterprises have become digitally transformed in this remote everything economy ushered in by the pandemic.

White House national security adviser Robert O’Brien cut short a multi-country trip to Europe and returned to the US to address the suspected Russian hack of government agencies, signallinga mounting alarm within the Trump administration about a lethal cyber espionage campaign considered potentially one of the most damaging in years.

A global impact

FireEye, a US cybersecurity firm, said it had confirmed infections in North America, Europe, Asia and the Middle East – including in the health care and oil and gas industry – and had been informing affected customers around the world in the past few days. Its customers include federal, state and local governments, as well as top global corporations.

In fact, it was FireEye which first flagged this latest attack. When FireEye discovered that it was hacked this month, the cybersecurity firm’s investigators immediately set about trying to figure out how attackers got past its defences. They quickly found outthat it wasn’t just FireEye that got attacked, and the breach was palpable. Investigators discovered a vulnerability in a product made by one of its software providers, Texas-based SolarWinds Corp. They looked through 50,000 lines to identify the backdoor entry into SolarWinds.

Further investigation revealed that the hack in itself was part of a global campaign by a highly sophisticated attacker that also targeted “government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East,” the company said in a blog.

What is Software Supply Chain Attack?

The term describes a strategy that cybercriminals use to attack companies. Instead of attacking them directly, hackers compromise the third-party software used by those businesses. This is done before the software reaches the companies’ doors, so the hackers do not have to worry about hacking into the companies’ networks and being detected. Once the compromised software arrives, the hackers use it to initiate other types of malicious activities. For example, the NotPetya malware that paralysed corporate networks worldwide in 2017, was initiated by a successful software supply chain attack.

Russia targets government; China steals corporate secrets

According to the US thinktank, Atlantic Council, for Russia these attacks have meant access to foreign critical infrastructure, while for China, they have facilitated a massive and multifaceted espionage effort. Chinese software supply attacks are aimed more at corporate entities; eight attacks had companies and dependent users as their downstream targets. Given that all Chinese attacks resulted (or could have resulted) in data extraction, this data is consistent with continuing US concerns about Chinese intellectual property theft and economic espionage. The 2020 GoldenSpy malware notably targeted a multinational tech vendor servicing Western defence sectors by requiring it to install tax-paying software embedded with sophisticated malware while operating in China.

The Sophistication of Software Supply Chain Attacks

The stealth techniques the hackers employed mean that it could take months to identify all their victims and remove whatever spyware they installed. To carry out the breach, the hackers first broke into the systems of SolarWinds, an American software company. There, they inserted a backdoor into Orion, one of the company’s products, which organisations use to view and manage vast internal networks of computers.

For several weeks beginning in March, any client that updated to the latest version of Orion – digitally signed by SolarWinds, and therefore seemingly legitimate – unwittingly downloaded the compromised software, offering the hackers a way into their systems in the process. SolarWinds has around 300,000 customers around the world, including most of the Fortune 500 companies and many governments. In a new filing with the Securities and Exchange Commission, the firm said “fewer than” 18,000 organizations ever downloaded the compromised update.

Lurking silently, stealthily, sneaking, stealing slowly

According to a recent MIT report,the hackers were extremely clever and strategic. Even once they had gained access through the back door in Orion, known as Sunburst, they moved slowly and deliberately. Instead of infiltrating many systems at once, which could easily have raised suspicions, they focused on a small set of selected targets, as reported by the security firm FireEye.

Sunburst stayed quiet for up to two full weeks before it woke up and began communicating with the hackers, according to the report. The malware disguises its network traffic as the “Orion Improvement Program” and stores data inside legitimate files in order to better blend in. It also searches for security and antivirus tools on the infected machine in order to avoid them.

To further cover their traces, the hackers were careful to use computers and networks to communicate with the back door at a given target only once – the equivalent of using a burner phone for an illicit conversation. They made limited use of malware because it’s relatively easy to spot; instead, once they had initial access through the back door, they tended to opt for the quieter route of using real stolen credentials to gain remote access to a victim’s machines. And the malware they did deploy doesn’t reuse code, which made the espionage harder to catch because security programs hunt for codes that have shown up in previous hacks.

Cyber Security a major challenge

A Frost & Sullivan survey among 1,636 IT decision-makers found that 33% of respondents considered cyber security a critical challenge in their digital transformation initiatives. Of the security issues that are most concerning for IT decision-makers, malware remains the number one concern, followed by security misconfiguration. The widespread move to a remote work environment owing to the COVID-19 pandemic has further accelerated digitalization initiatives. Security teams are now required to adapt their security infrastructure, strategies, and policies to suit remote working environments and ensure business continuity.

An evolving threat like none before

The SolarWinds threat seems to be rapidly unfurling and the world is not sure what further horror lies in store. While speaking to media on the episode, Microsoft president Brad Smith warned that the damage is “ongoing,” and described the episode as “an attack that is remarkable for its scope, sophistication and impact….not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency.” He said that it “represents an act of recklessness that created a serious technological vulnerability for the United States and the world.” He went on to emphasize that this hack is “a moment of reckoning” and clearly stated that “the weeks ahead will provide mounting and we believe indisputable evidence about the source of these recent attacks.”

The Microsoft map showing areas affected by the SolarWinds’ Orionmalware.

Image courtesy: Microsoft

Microsoft is considering it as something of grave concern and have published a map to outline the extent of the attack. The map used telemetry data taken from Microsoft’s Defender Anti-Virus software to show people who had installed versions of the Orion software that contained the malware. Approximately 80% percent of the victims are US-based, but incidents have also occurred in Canada, Mexico, Belgium, Spain, the UK, Israel, and the UAE.
Looks like the world is staring in the face at a fresh pandemic – although of a very different kind! The situation is extremely volatile, and new updates and alerts are expected every moment. We would definitely keep you posted.