It was more more than two months since revelations that Russian-backed suspected hackers broke into IT management firm SolarWinds and used the access to launch a massive software supply chain attack. It now appears that Russia was not alone; Reuters reports that suspected Chinese hackers independently exploited another flaw in SolarWinds products at about the same time last year, apparently hitting the U.S. Department of Agriculture’s national financial center.
SolarWinds captured the vulnerability in December that the alleged China hackers exploited. But the revelation highlights the seemingly impossible task with which organizations not only deal with their own security issues, but also the possible exposure of the countless third-party companies they work with for services ranging from IT management to data storage to office chat. In today’s interconnected landscape, you’re just as strong as your weakest entrepreneur.
“It’s unrealistic not to be dependent on third parties,” said Katie Nickels, director of intelligence at security firm Red Canary. ‘It’s just not as realistic as any network operating. But what we saw the first week or two even after the first revelations of SolarWinds was that some organizations were just trying to figure out if they were even using SolarWinds products. So I think the shift should be to know the dependency and understand how it should be with each other and not. “
SolarWinds emphasizes that, unlike the Russian hackers, who used their access to SolarWinds to infiltrate targets, the Chinese hackers only exploited the vulnerability after breaking into a network in some other way. They use the error to get deeper. “We are aware of one case of this incident and there is no reason to believe that these attackers were in the SolarWinds area at any time,” the company said in a statement. “This is in addition to the broad and sophisticated attack that has been targeted at various software companies as vectors.” The USDA did not respond to a request for comment.
Everyday software like Microsoft Windows, or until recently Adobe Flash, makes it popular targets for a wide range of hackers. As a company that is more than two decades old and has a large customer base, including a large number of government contracts in the United States and abroad, SolarWinds makes sense for hackers to produce. But SolarWinds is also just one of a multitude of enterprise tools and IT management services that companies need to manage constantly and simultaneously. Each represents a potential domestic route for attackers.
‘I have hundreds of different vendors we use, from Microsoft, Box, Zoom, Slack, and so on. It only takes one, ”said Marcin Kleczynski, chief executive of antivirus maker Malwarebytes, who announced in January that he was a victim of the alleged Russian burglary. ‘It’s a Catch-22. Trust one supplier and you will be mad if he touches. Rely on multiplicity and all that is needed is one. Rely on the big brands and deal with the consequences that are most targeted. Rely on the small brands and deal with the consequences that they are not yet investing in security. ”
Malware bytes illustrate the voltage in another important way; the Russian hackers who compromised it came in by a different method than SolarWinds. Brandon Wales, acting director of the Department of Homeland Security’s cyber security and infrastructure agency, said The Wall Street Journal in January that the hackers “gained access to their targets in various ways.” You can defend your treasure by hiding it in a castle on a mountain surrounded by a great wall and a shovel filled with crocodiles, or you can spread it around the world in strong but inconspicuous lockers. Both approaches present their own set of risks.