Cyber security truisms have long been described in simple terms of trust: Beware of attachments from unknown sources, and not hand over the identifiers to a fraudulent website. But increasingly sophisticated hackers are undermining this fundamental sense of trust and raising a question that sparks paranoia: What if the legitimate hardware and software that makes up your network has been compromised at the source?
This insidious and increasingly common form of hacking is known as a “supply chain attack”, a technique in which an adversary slips malicious code or even a malicious component into software or hardware. trust. By compromising a single vendor, spies or saboteurs can hijack their distribution systems to transform any application they sell, any software update they release, even the physical equipment they sell. ship to customers, as Trojans. With just one well-placed intrusion, they can create a stepping stone to a supplier’s customer networks, sometimes killing hundreds or even thousands.
“Supply chain attacks are scary because they are really hard to deal with and because they make it clear that you trust a whole ecology,” says Nick Weaver, security researcher at the International Institute of Technology. computer science at UC Berkeley. “You trust every supplier whose code is on your machine, and you trust the supplier of each supplier.
The seriousness of the supply chain threat was demonstrated on a large scale last December, when it was revealed that Russian hackers, later identified as working for the country’s foreign intelligence service, known as SVR name, had hacked software company SolarWinds and planted malicious code in its Orion IT management tool, providing access to no less than 18,000 networks that used this application around the world. The SVR has used this grip to dig deep into the networks of at least nine US federal agencies, including NASA, the State Department, the Department of Defense and the Department of Justice.
But as shocking as this spy operation was, SolarWinds was not unique. Serious supply chain attacks have hit businesses around the world for years, before and since Russia’s daring campaign. Last month it was revealed that hackers compromised a software development tool sold by a company called CodeCov which gave hackers access to hundreds of victim networks. A Chinese hacking group known as Barium has carried out at least six supply chain attacks over the past five years, hiding malicious code in the software of computer manufacturer Asus and in the CCleaner hard drive cleaning application. In 2017, the Russian hackers known as Sandworm, which is part of the country’s military intelligence service GRU, hijacked software updates to Ukrainian accounting software MEDoc and used it to squeeze out self-propagating and destructive code known as NotPetya, which ultimately inflicted $ 10 billion in damage worldwide costliest cyberattack in history.
In fact, supply chain attacks were first demonstrated about four decades ago, when Ken Thompson, one of the creators of the Unix operating system, wanted to see if he could hide a backdoor in the Unix login function. Thompson didn’t just crash a piece of malicious code that allowed him to log into any system. He built a compiler – a tool for turning readable source code into a machine-readable executable program – which secretly put the backdoor into the function when it was compiled. Then he went further and corrupted the compiler which compiled the compiler, so that even the source code of the user’s compiler shows no obvious signs of tampering. “The moral is obvious”, Thompson wrote in a lecture explaining his demonstration in 1984. “You can’t trust code that you haven’t totally created yourself. (Especially code from companies that employ people like me.)”
This theoretical trick – a kind of double attack on the supply chain that corrupts not only widely used software, but the tools used to create it – has also since become a reality. In 2015, the pirates distributed a fake version of XCode, a tool used to create iOS apps, which secretly planted malicious code in dozens of Chinese iPhone apps. And the technique reappeared in 2019, when Chinese Barium hackers corrupted a version of the Microsoft Visual Studio compiler so that it allows them to hide malware in multiple video games.
The increase in supply chain attacks, according to Berkeley’s Weaver, may be due in part to improved defenses against more rudimentary assaults. Hackers had to search for less easily protected entry points. And supply chain attacks also offer economies of scale; hack into a software vendor and you’ll gain access to hundreds of networks. “Part of it is that you want value for your money, and part of it is just that supply chain attacks are indirect. Your actual targets are not the ones you are attacking,” says Weaver. “If your actual targets are difficult, this might be the weakest point for you to hit them.”
Preventing future supply chain attacks will not be easy; there is no easy way for businesses to ensure that the software and hardware they buy has not been corrupted. Hardware supply chain attacks, in which an adversary physically places malicious code or components inside a piece of equipment, can be particularly difficult to detect. While a Bloomberg’s explosive report in 2018 claimed that tiny spy chips had been hidden inside SuperMicro motherboards used in Amazon and Apple data center servers, all of the companies involved vehemently denied the story, as did the NSA. But Edward Snowden’s classified leaks revealed that the The NSA itself has hijacked shipments of Cisco routers and hijacked them for his own espionage purposes.
The solution to supply chain attacks, both on software and hardware, may not be so much technological as it is organizational, argues Beau Woods, senior advisor to the Cybersecurity and Infrastructure Security Agency. Businesses and government agencies need to know who their software and hardware vendors are, monitor them, and enforce certain standards. He compares this change to the way companies like Toyota seek to control and limit their supply chains to ensure reliability. The same must now be done for cybersecurity. “They’re looking to streamline the supply chain: fewer suppliers and better quality parts from those suppliers,” says Woods. “Software development and IT operations have, in some ways, relearned these supply chain principles. “
Biden’s White House cybersecurity decree published earlier this month may help. It sets new minimum security standards for any business that wants to sell software to federal agencies. But the same control is just as necessary across the private sector. And private companies, just as much as federal agencies, shouldn’t expect the epidemic of supply chain compromise to end anytime soon, Woods says.
Ken Thompson might have been right in 1984 when he wrote that you can’t completely trust code you haven’t written yourself. But trusting code from providers you trust – and have verified – may be the best thing to do.
This story first appeared on wired.com.