WASHINGTON (AP) – The elite Russian hackers who gained access to federal agency computer systems last year, didn’t bother breaking into each department’s networks one by one.
Instead, they entered by sneaking malicious code into a software update that was pushed to thousands of government agencies and private companies.
Not surprisingly, hackers were able to exploit vulnerabilities in what is known as the supply chain to launch a massive intelligence-gathering operation. For years, US officials and cybersecurity experts have been ringing the alarm about a problem that has wreaked havoc, including billions of dollars in financial losses, but has defied easy government and private sector solutions.
“We will have to wrap our arms around the supply chain threat and find the solution, not only for us here in America as the world’s leading economy, but also for the planet,” William Evanina, who stepped down last week. as the US government counterintelligence said in an interview. “We will have to find a way to ensure that we can adopt a risk-free stance in the future and trust our suppliers.”
In general terms, a supply chain refers to the network of people and businesses involved in the development of a particular product, not unlike a housing project that relies on a contractor and a web of subcontractors. The sheer number of steps in that process, from design to manufacturing to distribution, and the various entities involved give a hacker seeking infiltration into companies, agencies and infrastructure countless points of entry.
This can mean that no company or executive has sole responsibility for protecting the entire industry supply chain. And even if most of the suppliers in the chain are secure, a single vulnerability could be all foreign government hackers need. In practice, homeowners who build a fort-like mansion can nevertheless fall victim to an alarm system that was compromised before it was installed.
The most recent case against federal agencies involved Russian government hackers suspected of sneaking malicious code into popular software that controls corporate and government computer networks. That product was made by a Texas-based company called SolarWinds that has thousands of federal government and private sector customers.
That malware gave hackers remote access to the networks of multiple agencies. Among those known to be affected are the Commerce, Finance and Justice Departments.
For hackers, the business model of targeting a supply chain directly makes sense.
“If you want to break 30 companies on Wall Street, why would you break 30 companies on Wall Street (individually) when you can go to the server – the warehouse, the cloud – where all those companies keep their data? It’s just smarter, more effective and more efficient to do that, ”said Evanina.
While President Donald Trump showed little personal interest in cybersecurity, he even fired the Chief of the Department of Homeland Security’s cybersecurity agency Just weeks before the Russian hack was revealed, President Joe Biden has said he will make it a priority and impose charges on opponents who carry out attacks.
Supply chain protection is likely to be an important part of those efforts, and clearly there is work to be done. A report from the Government Accountability Office December said that a review of the protocols of 23 agencies for assessing and managing supply chain risk found that only a few had implemented each of the seven “fundamental practices” and 14 had not implemented any.
US officials say the responsibility cannot rest with the government alone and that coordination with private industry is needed.
But the government has tried to take action, including by means of executive orders and regulations. A provision of the National Defense Authorization Act prohibited federal agencies from contracting with companies using goods or services from five Chinese companies, including Huawei. The government’s formal counterintelligence strategy made reducing threats to the supply chain one of the five core pillars.
Perhaps the best-known supply chain breach before SolarWinds is the NotPetya attack in which malicious code planted by Russian military hackers was unleashed through an automatic update of Ukrainian tax reporting software called MeDoc. That malware infected its customers and the attack caused more than $ 10 billion in damage worldwide.
The Ministry of Justice charged five Chinese hackers in September which it said they compromised software vendors and then changed the source code to enable further hacks of the providers’ customers. In 2018, the department announced a similar case against two Chinese hackers accused of breaking into cloud service providers and injecting malicious software.
“Anyone surprised by SolarWinds has not paid attention,” said Representative Jim Langevin, a Rhode Island Democrat and member of the Cyberspace Solarium Commission, a two-tier group that published a white paper calling for supply chain protection through better intelligence. and share information.
Part of the appeal of a supply chain attack is that it is “low-hanging fruit,” said Brandon Valeriano, a cybersecurity expert at Marine Corps University. As a senior advisor to the solarium committee, he says it’s not really known how spread out the networks are and that supply chain failures are not uncommon.
“The problem is we don’t really know what we’re eating.” Valeriano said. “And sometimes it comes up later that we are choking on something – and often we are choking on things.”
___
Follow Eric Tucker on Twitter at http://www.twitter.com/etuckerAP