Let’s not mince words: supply chain vulnerabilities are one of today’s most pernicious IT security challenges. They’re a threat to organizations across all sectors and they must be addressed. Though certainly not the first major supply chain compromise, the recent propagation of malware via SolarWinds Orion update servers has been a wake-up call on the issue. The incident spurred the creation of a dedicated taskforce from multiple federal agencies charged with investigating and responding to the specific attack. It will also likely supercharge the recent push to shore up supply chains for federal IT systems, including the efforts of the Federal Acquisition Security Council (FASC), a body established in September 2020 to spearhead such work.
Trends in Supply Chain Attacks
It may be months or years before a complete view of the impacts of the SolarWinds supply chain compromise emerges, but one takeaway is clear: Supply chain attacks remain an extremely effective strategy for threat actors of all stripes. Looking at SolarWinds and other recent supply chain attacks, Booz Allen’s cyber analysts have compiled the following insights regarding the objectives, strategies, and tactics of supply chain attackers, and some approaches that cybersecurity teams can use to counter them.
Scope of Compromise May Vary by Actor
A notable aspect of the SolarWinds breach is that while up to 18,000 customers may have installed the trojanized software, only approximately 250 victims have been targeted with follow-on intrusions, according to recent estimates.
This narrow-scoped targeting of select victims has been observed in other supply chain attacks. In June 2018, for example, Operation ShadowHammer used a trojanized ASUS Live Updater file to target users en masse, but used malware that only targeted machines specified in a hardcoded list of 600 unique MAC addresses. Attacks like these—attributed to likely nation-state-sponsored cyberespionage groups—depart significantly from criminal operations.
A 2019 campaign by the MageCart cybercriminal group, for instance, used misconfigured hosting services to distribute malware to more than 17,000 domains. In December 2019. the REvil ransomware operators leveraged a compromised IT service provider to encrypt the systems of more than a hundred dental offices.
When investigating—or defending against—a supply chain attack, determining the objectives of the attackers is critical. A stealthy, precisely targeted approach may suggest cyberespionage, whereas a "spray and pray" approach may point to cybercriminals looking to maximize profit.
Attacks May Be Regional, Impacts May Be Global
From a threat actor’s point of view, one of the benefits of supply chain attacks is that specific software developers can be targeted to reach a specific subset of victims. Certain applications—such as financial software designed for country-specific tax codes—are likely to have a limited, regional userbase. Threat actors have repeatedly capitalized on this.
In June 2020, researchers discovered a malware dubbed “Goldenspy” that was embedded within the installer for tax software used for a multinational bank’s China operations. Likewise the globally impactful NotPetya data-destruction attack—which incurred billions of dollars in damages to some organizations—was delivered via an update for a Ukrainian accounting software. Organizations with global operations should be cognizant of the region-specific threats they face, and wary of exposing their broader operations to risk through the use of haphazardly secured region-specific software.
Hardware, Software, and Third-Party Service Providers
The examples above focus on supply chain attacks launched through trojanized software or compromised hosting providers, but hardware supply chain attacks offer threat actors another viable angle of assault. Public details on specific risks or incidents are limited, but U.S. government organizations have cited cybersecurity concerns in banning the use of a broad range of hardware devices, from commercial-off-the-shelf drones to networking equipment. Proactively defending against supply chain attacks means taking this risk into consideration.
Indirect Supply Chain Attacks
Another practice commonly employed by supply chain attackers is to access a technology vendor’s data, and then use that data to inform or enable separate follow-on attacks against the technology vendor’s clients.
Real-life examples of these types of attacks include theft of seed keys to enable bypass of multi-factor authentication (MFA) devices, theft of legitimate code signing certificates to sign malware used in later attacks, or theft of source-code that could enable expedited vulnerability discovery. Such indirect supply chain attacks underscore the need for organizations to assess the risks presented by potential breaches of any and all of their vendors.
Though the scope of supply chain threats may vary widely, we recommend that organizations consider the following points when developing their supply chain security strategy:
- Know Your Assets: As with most other security processes, the starting point for defending against supply chain compromise is maintaining full awareness of the hardware and software deployed in your enterprise environment. As noted above, hardware and software used within the entirety of an enterprise may vary significantly by region and facility (e.g., corporate headquarter versus regional offices versus manufacturing production sites).
- Vet Your Vendors: When selecting technologies and services, organizations should ensure that due diligence checks are carried out against third-party vendors. This also applies to managed service providers, hosting providers, and any partner organizations with access to the enterprise environment. At a minimum, due diligence review for your partner organizations should ensure that they're leveraging security controls that provide a baseline comparable to your own security posture. Following the initial review, monitoring for breaches or attacks against partners and vendors should continue.
- Zero Trust: The potential impacts of supply chain attacks can be significantly reduced by adopting a zero-trust enterprise architecture. This strategy entails robust security controls over assets and personnel both inside and outside the enterprise, including network segmentation, granular user access controls, and other measures to limit opportunities for lateral movement.
- Defense in Depth: A defense-in-depth strategy, with multiple layers of overlapping security controls, can also limit the potential impacts of a supply chain compromise. As in the case of the recent SolarWinds incident, supply chain attacks may provide an initial foothold, but the most damaging activities are almost certainly going to entail the delivery and use of additional tools. These kinds of follow-on actions should be detectable, and they represent good opportunities to uncover or stifle adversary efforts. Security orchestration tools and robust endpoint and network security controls can go a long way toward halting an intrusion early, before the attackers have had a chance to accomplish their primary objectives.