What is a Supply Chain Attack?

They have cybersecurity truisms has long been described in simple terms of trust: Beware of email attachments from unknown sources, and no give credentials with a fraudulent website. But increasingly, sophisticated hackers are undermining this basic sense of trust and raising the question of paranoia: What if the legitimate hardware and software that make up your network is compromised at the source?

This increasingly common and malicious form of hacking is called a “supply chain attack,” a technique in which opponents slip into a trusted piece of software or hardware with malicious code or a malicious component. At the risk of a single vendor, spies or saboteurs can hijack their distribution systems from any application they sell, update their software updates, and even convert the physical equipment they send to customers into Trojan horses. With a well-located intrusion, they can create a starting point for a provider’s customer networks, sometimes hundreds or even thousands of victims.

“Supply chain attacks are scary because they are very difficult to deal with and they make it clear that you trust the whole ecology,” says Nick Weaver, a security researcher at UC Berkeley’s International Institute of Informatics. “You trust every vendor who has the code on your machine, and you trust the seller of all vendors. “

The severity of the supply chain threat was massively demonstrated last December, when Russian hackers revealed that they later identified themselves working in the country’s foreign intelligence service, known as SVR. SolarWinds hacked the software company and planted malicious code in the Orion IT management tool, which allowed this application to be accessed by 18,000 networks around the world. SVR used that footing to delve into the networks of at least nine U.S. federal agencies, including NASA, the Department of State, the Department of Defense, and the Department of Justice.

But despite the amazing spy operation, SolarWinds wasn’t the only one. Serious supply chain attacks have been hit by companies around the world over the years, both before and after Russia’s daring campaign. It was revealed last month the hackers risked a software development tool sold by a company called CodeCov which gave hackers access to hundreds of victim networks. A The Chinese hacking team known as Barium carried out at least six attacks on the supply chain for the past five years, he has been hiding malicious code in the software of Asus computer creator and hard drive cleaning app CCleaner. In 2017 Russian hackers known as Sandworm, Part of the country’s military intelligence service GRU, hijacked MEDoc’s accounting software updates in Ukraine and used them to push abroad The destructive and self-propagating code known as NotPetyawhich eventually caused $ 10,000 billion in damage worldwide – the most expensive cyberattack in history.

In fact, supply chain attacks were first demonstrated about four decades ago when Ken Thompson, one of the founders of the Unix operating system, wanted to see if he was hiding the back door in the Unix login function. Thompson didn’t just plant malicious code that gave him the ability to access a system. He built a compiler, a tool for converting readable source code into a machine-readable executable program, which was hidden when the back door was put into function. He then went one step further and damaged the compiler collected the compiler, therefore, the source code of the user compiler would also show no significant signs of manipulation. “Morality is obvious,” Thompson said he wrote He explained the demonstration in 1984 in a speech. “You can’t trust code you didn’t completely create yourself (especially code for companies that employ people like me.”)