It has been more more than two months since revelations that alleged Russian-backed hackers broke into IT management company SolarWinds and used that access to launch a massive attack on the software supply chain. Now it turns out that Russia was not alone; Reuters reports that suspected Chinese hackers independently exploited another flaw in SolarWinds products around the same time last year, apparently hitting the U.S. Department of Agriculture’s National Finance Center.
SolarWinds repaired the vulnerability that the alleged Chinese hackers exploited in December. But the disclosure underscores the seemingly impossible task organizations face in dealing with not just their own security vulnerabilities, but also the potential exposure of the myriad third-party companies they partner with for services ranging from IT management to data storage to office chat. In today’s interconnected landscape, you are only as strong as your weakest supplier.
“It is unrealistic not to be dependent on third parties,” said Katie Nickels, intelligence director at the Red Canary security company. “It’s just not realistic how a network is managed. But what we saw for the first two weeks, even after the initial SolarWinds disclosures, was some organizations just trying to find out if they even use SolarWinds products. So I think the shift has to be to know those dependencies and how they should and shouldn’t work together. “
SolarWinds emphasizes that unlike the Russian hackers, who used their access to SolarWinds to infiltrate targets, the Chinese hackers only exploited the vulnerability after breaking into a network in some other way. Then they used the error to dig deeper. “We are aware of one instance of this happening and there is no reason to believe that these attackers were ever in the SolarWinds environment,” the company said in a statement. “This is separate from the broad and sophisticated attack that had targeted multiple software companies as vectors.” The USDA did not return a request for comment.
The ubiquity of software such as Microsoft Windows or, until recently, Adobe Flash, makes them popular targets for a wide variety of hackers. As a company that is over twenty years old and has a large customer base – including a large number of government contracts in the United States and abroad – SolarWinds makes perfect sense for hackers to prank. But SolarWinds is also just one of many business tools and IT management services that businesses must perform constantly and simultaneously. Each represents a potential entry point for attackers.
“I have hundreds of different vendors that we use, from Microsoft to Box, Zoom, Slack and so on. It only takes one, ”said Marcin Kleczynski, CEO of antivirus maker Malwarebytes, who announced in January that it had been a victim of the suspected Russian hacking attempt. “It’s a Catch-22. Rely on one supplier and you will be screwed if they get hit. Rely on several and only one is needed. Rely on the big brands and deal with the consequences they are most focused on. Trust the small brands and deal with the consequences of not investing in security yet. “
Malwarebytes illustrates that tension in another important way; the Russian hackers who compromised it entered through a different method from SolarWinds. Brandon Wales, acting director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, said The Wall Street Journal in January that the hackers “gained access to their targets in various ways.” You can defend your treasure by hiding it in a castle on a mountain, surrounded by a great wall and a crocodile-filled moat, or you can spread it around the world in strong but unobtrusive lockboxes. Both approaches raise their own risks.