WASHINGTON (AP) – The elite Russian hackers which last year gained access to computer systems from federal agencies did not bother to break into the networks of each department one by one.
Instead, they hacked in by moving malicious code into a software update sent to thousands of government agencies and private companies.
It was not surprising that hackers in the so-called supply chain could exploit vulnerabilities to launch a massive intelligence-gathering operation. U.S. officials and cybersecurity experts have been sounding the alarm for years about a devastating problem, including billions of dollars in financial losses, but have challenged easy solutions from government and the private sector.
“We will have to wrap our arms around the threat of the supply chain and find the solution, not only for us here in America as the leading economy in the world, but also for the planet,” said William Evanina, who resigned last week . as the U.S. government’s chief anti-intelligence official said in an interview. “We need to find a way to make sure we can have a zero-risk attitude in the future and trust our suppliers.”
In general, a supply chain refers to the network of people and businesses involved in the development of a specific product, not unlike a home project that relies on a contractor and a web of subcontractors. The large number of steps in the process, from design to manufacturing to distribution, and the various entities involved provide a hacker who wants to infiltrate various businesses, agencies and infrastructure.
This can mean that no single company or executive has the sole responsibility for protecting an entire industry. And even if most vendors in the chain are secure, a single vulnerability can be all that foreign hackers need. In practical terms, homeowners who build a mansion like a fortress can still get victims through an alarm system that was compromised before it was installed.
The most recent case targeting federal agencies involved Russian hackers who allegedly sneaked malicious code into popular software that monitors computer networks of businesses and governments. This product is manufactured by a Texas company called SolarWinds that has thousands of customers in the federal government and private sector.
With the malware, hackers gave remote access to the networks of various agencies. Among those made famous are the departments of trade, treasury and justice.
For hackers, the business model of directing a supply chain directly makes sense.
‘If you want to infringe on 30 companies on Wall Street, why break 30 Wall Street companies (individually) if you can go to the server – the warehouse, the cloud – where all the companies store their data? It’s just smarter, more efficient, more efficient to do it, ”Evanina said.
Although President Donald Trump showed little personal interest in cyber security, he even fired the head of the Department of Homeland Security’s cyber security agency. Only a few weeks before the Russian cap was unveiled, President Joe Biden said he would make it a priority and that he would pay costs to opponents who carry out attacks.
Supply chain protection is likely to be an important part of these efforts, and there is clearly work to be done. A Government Accountability Office Report a review of 23 agencies’ protocols for supply chain risk assessment and management said from December that only a few had implemented each of the seven ‘ground practices’, and that 14 did not implement one.
U.S. officials say the responsibility cannot lie with the government alone and that it should involve coordination with the private industry.
But the government has tried to take action, including through executive orders and rules. A provision of the National Defense Authorization Act prohibits federal agencies from entering into contracts with companies that use goods or services of five Chinese companies, including Huawei. The government’s formal counter-intelligence strategy makes reducing supply chain threats one of five key pillars.
Perhaps the most notorious intrusion of the supply chain before SolarWinds is the NotPetya attack in which malicious code planted by Russian military hackers was unleashed by an automatic update of the Ukrainian tax preparation software called MeDoc. That malware infected its customers, and the attack caused more than $ 10 billion in damage worldwide.
The Justice Department charged five Chinese hackers in September which, according to them, compromised software vendors and then modified the source code to secure further customers of the vendors. In 2018, the department announced a similar case against two Chinese hackers accused of hacking into cloud service providers and injecting malicious software.
“Anyone who was surprised by SolarWinds did not pay attention to it,” said rep. Jim Langevin, a Rhode Island Democrat and member of the Cyberspace Solarium Commission, a two-party group that issued a white paper to protect the supply chain through better intelligence, said. and sharing information.
Brandon Valeriano, a cyber security at Marine Corps University, says part of the appeal of an attack chain attack is that it has a low hanging fruit. He is a senior adviser to the solarium commission and says that it is not really known how widespread the networks are and that shortcomings in the supply chain are not uncommon.
“The problem is, we basically do not know what we are eating.” Valeriano said. “And sometimes it happens later that we choke on something – and often we choke on things.”
___
Follow Eric Tucker on Twitter at http://www.twitter.com/etuckerAP