What actually is a supply chain attack?
Solar winds, Notpetya, Barium, Sandworm – supply chain attacks and groups of hackers who carry them out keep dominating the headlines. But what exactly is behind the term?
Do not open attachments in emails from senders you do not know; do not enter login data into forms on websites that look somehow sketchy; uses a password manager; enables two-factor authentication everywhere; this that pineapple. If you follow these points, you already have a very solid basis on which to navigate the network at least sufficiently safely. But what if a network’s software or hardware has been compromised from the ground up?
This particularly perfidious type of hacking is also known as a supply chain attack. Malicious code is smuggled into actually trustworthy software, or a malicious component into actually trustworthy hardware. If hackers manage to take over its distribution systems, they can turn every app, every software update and even physical equipment that is delivered to customers into a Trojan horse from there. A single, well-placed intrusion can become the starting point for a virus that can spread to hundreds of networks.
Contents
Anyone who uses software must have trust
Supply chain attacks are also so dangerous because they are so difficult to control – and because they brutally reveal how much information technology relies on trust. As software users, we trust their manufacturers; and software manufacturers that the manufacturer of the software we use uses – in other words, an entire ecosystem.
This was impressively demonstrated by a supply chain attack on a software company called Solarwinds. Russian spies had injected malicious code into their product. The compromised IT management software allowed access to over 18,000 networks around the world in which the software was used. Russian intelligence took the opportunity to dig deep into the networks of at least sixteen federal agencies and ministries and at least nine US federal agencies, including NASA, the Department of State, the Department of Defense and the Department of Justice.
“Don’t trust any code that you haven’t written yourself”
Solar winds was not an isolated incident. It was only recently revealed that a developer tool called CodeCov had been compromised. At least six supply chain attacks in the past five years have been attributed to a hacker group called Barium. Among the targets: the computer manufacturer Asus and the hard drive cleaning tool CCleaner.
2017 saw the most expensive supply chain attack in history. A group of Russian hackers, known as Sandworm and assigned to the military secret service GRU, smuggled self-propagating malicious code into the systems of thousands of users via Ukrainian accounting software. Notpetya, the malicious code, caused damage of ten billion US dollars worldwide.
In fact, supply chain attacks were first demonstrated around four decades ago. Ken Thompson, one of the Unix creators, tested whether a back door could be hidden in the login function of the operating system. He did not limit himself to malicious code that leaves such a door open. He developed a compiler that only built in the back door during the compilation of the login process. In a further step, he damaged the compiler that compiled his backdoor compiler so that no traces of manipulation could be detected on the user side. “The moral of the story? Don’t trust any code that you haven’t written yourself, ”he wrote in 1984 in a lecture about his project.
The trick demonstrated by Thompson – a kind of double supply chain attack – has already been used several times. In 2015, hackers distributed a fake version of the Apple developer tool Xcode and thus smuggled malicious code into several Chinese iPhone apps. The method came back into use in 2019 when the Barium grouping corrupted a version of Microsoft’s Visual Studio compiler and hid malware in a series of video games.
Attacks on the supply chain are on the rise for a number of reasons: The defenses against rudimentary attacks are improving. They force attackers to switch to less well-protected software. If the actual goals of an attack are unreachable, supply chain attacks can be a detour to gain access to their network anyway – and potentially hundreds more at the same time.
Corrupted hardware is particularly difficult to identify
Preventing supply chain attacks is not going to get any easier in the future – there is no easy way to verify that purchased software or hardware is not corrupted. Hardware supply chain attacks in particular, in which malicious code or harmful components are introduced into hardware, can be difficult to detect. In 2018, a Bloomberg report claimed that tiny spyware was built into the supermicro motherboards in Apple’s and Amazon’s data centers. The NSA and the companies involved denied this vehemently. According to classified Snowden leaks, the NSA has intercepted deliveries from Cisco routers and provided them with a back door – for espionage purposes.
The solution to the problem may be less technical than organizational. Businesses and government agencies need to keep an eye on the software and hardware supply chain, know their suppliers, and ensure that their products meet certain standards. At the beginning of May 2021, the Biden administration issued an executive order that software used in government agencies must meet certain security standards. In the EU, the European Parliament, the European Council and the European Commission agreed on a legal act on cybersecurity as early as 2018. This provides for a cybersecurity certification of products, processes and services. Thompson’s motto “Don’t trust any software that you haven’t written yourself” was no longer practicable in 1984 – trusting software that meets certain standards is then at least the next best solution.
via www.wired.com