It has been more more than two months since revelations that alleged Russian-backed hackers hacked IT management company SolarWinds and used that access to launch a massive attack on the software supply chain. Now it seems that Russia was not alone; Reuters reports that suspected Chinese hackers independently exploited a different flaw in SolarWinds products last year, at about the same time, apparently hitting the United States Department of Agriculture’s National Financial Center.
SolarWinds fixed the vulnerability in December that China’s alleged hackers exploited. But the revelation underscores the seemingly impossible task that organizations face in dealing not only with their own security issues, but also with the potential exposure of numerous third-party companies that they partner with for services ranging from IT management to data storage. and office chat. In today’s interconnected landscape, you are as strong as your weakest supplier.
“It is not realistic not to depend on others,” says Katie Nickels, director of intelligence at security firm Red Canary. “The way any network is managed is simply unrealistic. But what we saw in the first few weeks or two, even after SolarWinds’ initial revelations, were some organizations just trying to find out if they use SolarWinds products. So, I think the change must be to know these dependencies and understand how they should and should not interact. “
SolarWinds emphasizes that, unlike Russian hackers, who used their access to SolarWinds to infiltrate targets, Chinese hackers exploited the vulnerability only after already hacking into a network by some other means. They then used the flaw to drill deeper. “We are aware of an instance of this event and there is no reason to believe that these attackers were within the SolarWinds environment at any time,” said the company in a statement. “This is different from the broad and sophisticated attack that targeted various software companies as vectors.
The ubiquity of software such as Microsoft Windows or, until recently, Adobe Flash, makes them popular targets for a wide variety of hackers. As a company with more than two decades of existence and a large customer base – including a large number of government contracts in the United States and abroad – SolarWinds makes perfect sense for hackers to encourage. But SolarWinds is also just one of a multitude of corporate tools and IT management services that companies need to run constantly and simultaneously. Each represents a potential foray for attackers.
“I have hundreds of different vendors that we use, from Microsoft, Box, Zoom, Slack and so on. It only takes one, ”says Marcin Kleczynski, CEO of antivirus maker Malwarebytes, who revealed in January that he had been a victim of the supposed wave of hackers in Russia. “It’s a Catch-22. Trust a supplier and you will be screwed if he is hit. Trust several and one is enough. Trust big brands and deal with the consequences of being more targeted. Trust small brands and face the consequences of not yet investing in security ”.
Malwarebytes illustrates this tension in another fundamental way; the Russian hackers who compromised it entered by a different method than SolarWinds. Brandon Wales, acting director of the Department of Homeland Security’s Cyber Security and Infrastructure Agency, said Wall Street Newspaper in January, hackers “gained access to their targets in a variety of ways.” You can defend your treasure by hiding it in a castle on a mountain surrounded by a great wall and a moat full of crocodiles, or you can spread it around the world in safe but discreet boxes. Both approaches invite their own set of risks.