There are cybersecurity truisms has long been described in simple terms of trust: Avoid email attachments from unfamiliar sources, and do not hand over the credentials on a fraudulent website. But more importantly, sophisticated hackers undermine core trust and raise a question that causes paranoia: What if the legitimate hardware and software that make up your network is compromised at source?
That subtle and more common form of hacking is known as a “supply chain attack,” a method in which an adversary infiltrates malicious code or even a malicious component of a reliable piece of software or hardware. By compromising a single supplier, spies or saboteurs can damage its distribution systems to transfer any application they sell, any software update they push, even physical ones. equipment they send to customers, to Trojan horses. In a well -placed fit, they can create a springboard in a provider’s customer networks – sometimes reaching hundreds or even thousands of victims.
“Supply chain attacks are scary because they’re really hard to negotiate, and because they make it clear that you rely on the whole ecology,” said Nick Weaver, a security researcher at the International Computer Science Institute at UC Berkeley. “You trust every vendor that the code is on your machine, and you rely on every seller. “
The severity of the supply chain threat was demonstrated on a widespread scale in December, when it was revealed that Russian hackers-who were later identified as working for the country’s foreign intelligence service, known as SVR-had hacked software firm SolarWinds and planted malicious code in IT management tool Orion, which allows access to up to 18,000 networks using that application worldwide. SVR uses the facility to disrupt the networks of at least nine federal agencies in the United States, including NASA, the State Department, the Department of Defense, and the Department of Justice.
But no matter how shocking that spy operation is, SolarWinds is no exception. The severe attack on the supply chain has hit companies around the world for many years, both before and after Russia’s bold campaign. Just last month, it was revealed Hackers compromised a software development tool sold by a company called CodeCov. giving hackers access to hundreds of victims ’networks. A The Chinese hacking group known as Barium has carried out at least six supply chain attacks for the past five years, malicious software code has been hidden by computer maker Asus and the CCleaner hard-drive cleaning application. In 2017 the Russian hackers known as Sandworm, part of the country’s GRU military intelligence service, hijacked updates to Ukraine’s accounting software MEDoc and used it to force self -spreading, harmful code known as NotPetya, which ultimately caused $ 10 billion in damages worldwide – the most expensive cyberattack in history.
In fact, supply chain attacks first appeared about four decades ago, when Ken Thompson, one of the makers of the Unix operating system, wanted to see if he could hide a backdoor into Unix login. Thompson didn’t just plant a piece of malicious code that gave him the ability to log into any system. He built a compiler — a tool that reads source code into a machine-readable, executable program — that is secretly placed in the back of the function when it is compiled. Afterwards he went one step further and damaged the recorder combined the compiler, so that even the source code of the user compiler does not have any obvious signs of repair. “The moral is obvious,” Thompson WROTE in a lecture explaining his demonstration in 1984. “You can’t trust code that you haven’t completely created yourself. (Especially code from companies that employ people like me.)”