Almost annually, a supply chain attack catches the media cycle and propels it to the forefront of conversations in SOCs and board rooms. The SolarWinds intrusion was the defining moment for 2020 supply chain compromises. However, this is just one of many supply chain intrusions from the last few years. The advantage of this type of hack is that it has a one to many relationship. If a hacker can successfully pull off a single intrusion into a part of the supply chain, they can gain trusted access to the entire customer base. This tactic is one of the favorites of nation states because it is often one of the easiest ways to get access to hard targets, and if done correctly, it provides sustained access and a significant return on investment for the initial effort of the intrusion.
Supply chain attack definition
A supply chain intrusion is a specific type of third party compromise. It involves someone implanting something malicious, whether that be code, hardware, or a substituted durable good into the manufacturing chain of a single product. The purpose of this intrusion is to leverage existing trust to compromise the end users of the product.
This style of intrusion is highly valuable to hackers because it allows them to:
- Access otherwise hard targets;
- Gain a significant number of potential victims out of a single operation; and
- Reduce the likelihood of detection for follow on operations.
Who conducts supply chain attacks?
Supply chain attacks are very powerful when executed correctly. This leads to most nation states devoting significant resources to this category of intrusion. The ability to leverage existing trust to bypass hardened defensive systems also makes this type of intrusion more appealing for governments, as it provides a way into military and civilian government systems that are harder to compromise with a direct hacking attempt. The vast majority of reported supply chain intrusions are linked to either the Russian or Chinese government. A sample list of notable supply chain attacks is below:
- Solarwinds | 2020: Network Management – Russia
- Able Desktop | 2020: HR Platform – China
- Baiwang | 2019: Tax Software – China
- Asus | 2019: Auto Update – China
- CCleaner | 2017, 2019: Network Security – China
- NetSarang | 2017: Remote Management Tool – China
- MeDoc | 2017: Tax Software – Russia
This list of some notable supply chain compromises highlights two things. First, supply chain attacks are not rare. Nation states in particular are conducting these operations as a routine course of business. The dates associated with each intrusion are dates of discovery not initial breach. Second, the best targets are ones that either have a legal requirement for use, which assures widespread access in a given location or have specific, trusted, software update functionality.
Why are supply chain attacks often the domain of nation states?
The inherent advantage of this type of intrusion is the discriminant nature of the follow on victims. The work required to identify the right company to start the supply chain attack into is often started by deciding on who the final victim should be. Then it is a matter of significant OSINT work to find all the trusted relationships that exist. Finally, a reconnaissance process takes place to determine which of those creates the best skeleton key for the desired targets network.
Most cybercriminals don’t need to, nor are willing to, put in that type of target selection and reconnaissance into their operations. Just like in the legitimate business world, time is money and criminal groups get a significantly greater return on their investment by:
- Scanning for exploitable infrastructure, i.e. vulnerable services or web based logins that can be sprayed with credentials;
- Phishing campaigns; or
- 3rd party compromises though existing vulnerabilities.
Fundamentally, supply chain attacks take too long for those who are looking to monetize their activity to the greatest extent. They only pay off if the threat actor is seeking a specific set of victims that have significant defensive capabilities.
What does the future hold?
Supply chain attacks are likely to continue. The community’s focus and awareness of them will continue to ebb and flow, but the adversary will continue to leverage this intrusion chain to gain access to high value targets. Simply stated, this is too valuable of a resource for nation states to move away from.
If we see any change, it is likely that we will see an increase in these types of intrusions going forward. As more companies are adopting the work-from-anywhere model and relying on SaaS offerings to manage their business, the supply chain becomes inherently more trusted. The fragmentation of the technology stack within companies creates resilience, but it also creates dependencies and requires a level of trust in how the systems are operated and maintained as corporations no longer “own” the technology they are relying on. This model creates more opportunities for supply chain attacks and incentivizes nation states to double down on perfecting these types of operations.
Defenders and those who manage corporate risk must focus on where trust is being granted and what damage that could cause if the trust is abused. To steal a cold war aphorism, we need to shift to a model of trust, but verify. If we can focus on building safeguards around our most trusted assets, it will provide the redundancy we need to mitigate, if not prevent when our supply chains go rogue.