WASHINGTON (AP) – The elite Russian hackers who had access to computer systems from federal agencies last year did not bother trying to break each department’s networks one by one.
Instead, they went in hiding malicious code in a software update sent to thousands of government agencies and private companies.
It was no surprise that hackers were able to exploit vulnerabilities in what is known as the supply chain to launch a massive intelligence gathering operation. American officials and cybersecurity experts sounded the alarm years ago about a problem that wreaked havoc, including billions of dollars in financial losses, but defied easy solutions by the government and the private sector.
“We will have to embrace the supply chain threat and find the solution, not only for us here in America as the largest economy in the world, but for the planet”, William Evanina, who resigned last week as the company’s main employee US government spying, said in an interview. “We will have to find a way to ensure that, in the future, we can have a zero risk stance and trust our suppliers.”
In general terms, a supply chain refers to the network of people and companies involved in the development of a particular product, not unlike a residential construction project that depends on a contractor and a network of subcontractors. The large number of steps in this process, from design to manufacturing and distribution, and the different entities involved give a hacker who seeks to infiltrate businesses, agencies and infrastructure at various points of entry.
This may mean that no company or executive has sole responsibility for protecting the entire supply chain in the industry. And while most network providers are secure, a single point of vulnerability may be all that foreign government hackers need. In practical terms, homeowners who build a fortress-like mansion may, however, fall victim to an alarm system that was compromised before it was installed.
The most recent case targeting federal agencies involved hackers from the Russian government believed to have inserted malicious code into popular software that monitors corporate and government computer networks. This product is made by a Texas-based company called SolarWinds, which has thousands of customers in the federal government and in the private sector.
This malware gave hackers remote access to the networks of various agencies. Among those affected are the Commerce, Treasury and Justice departments.
For hackers, the business model that directly targets a supply chain is sensible.
“If you want to breach 30 companies on Wall Street, why violate 30 companies on Wall Street (individually) when you can go to the server – the warehouse, the cloud – where all these companies keep their data? It is simply smarter, more effective and more efficient to do this, ”said Evanina.
Although President Donald Trump showed little personal interest in cybersecurity, he even fired the head of the Department of Homeland Security’s cybersecurity agency. just weeks before the Russian hack was revealed, President Joe Biden said he would make it a priority and impose costs on opponents who carry out the attacks.
Supply chain protection is likely to be an important part of these efforts, and there is clearly work to be done. A report from the Government Accountability Office in December, he said that a review of the protocols of 23 agencies to assess and manage supply chain risks found that only a few implemented each of the seven “fundamental practices” and 14 implemented none.
American officials say the responsibility cannot lie solely with the government and must involve coordination with private industry.
But the government tried to take action, including through executive orders and rules. A clause in the National Defense Authorization Act prevented federal agencies from hiring companies that use goods or services from five Chinese companies, including Huawei. The government’s formal counterintelligence strategy has made reducing threats to the supply chain one of the five main pillars.
Perhaps the best-known intrusion into the supply chain before SolarWinds is the NotPetya attack, in which malicious code that was discovered by Russian military hackers was released through an automatic update to Ukrainian tax preparation software, called MeDoc. This malware infected its customers and, in general, the attack caused more than $ 10 billion in damage worldwide.
The Justice Department in September accused five Chinese hackers which is said to have compromised software vendors and then modified the source code to allow more hacks from vendors’ customers. In 2018, the department announced a similar case against two Chinese hackers accused of hacking cloud service providers and injecting malicious software.
“Anyone who is surprised by SolarWinds has not been paying attention,” said Rep. Jim Langevin, a Democrat from Rhode Island and a member of the Cyberspace Solarium Commission, a bipartisan group that published a white paper calling for protecting the supply chain through better intelligence and information sharing.
Part of the appeal of an attack on the supply chain is that it is “an affordable fruit,” said Brandon Valeriano, a cybersecurity expert at Marine Corps University. A senior advisor to the solarium commission, he says it is not known exactly how dispersed the networks are and that failures in the supply chain are not uncommon.
“The problem is that we basically don’t know what we’re eating.” Valeriano said. “And sometimes it happens later that we choke on something – and we often choke on things.”
___
Follow Eric Tucker on Twitter at http://www.twitter.com/etuckerAP