By David Gugelmann, April 2020
My "top 3" supply chain attacks
In a supply chain attack, the attackers do not target your company directly, instead they target a supplier of you first. The attackers then manipulate the supplier’s product or use stolen information to break into your well-secured company. As Microsoft put it in a blog post last year:
“At its core, attackers are looking to break trust mechanisms, including the trust that businesses naturally have for their suppliers.”
While there are various types of supply chain attacks, I have a personal “Top 3” list of especially nasty incidences.
Stealing the master key
RSA’s SecurID tokens are a very well-known two-factor authentication solution securing access to sensitive data for millions of people. The idea behind RSA’s tokens is simple. An algorithm calculates a one-time access token which is linked to a specific user account and changes regularly. In order to log in, a user needs its password and the corresponding token generated by RSA’s algorithm. It’s very difficult for an attacker to circumvent this system as the token changes all 60 seconds. Unless, of course, you hack RSA, obtain the algorithm and the seed key used to calculate the access tokens and subsequently use the information to hack a well-secured high-profile target and steal information on a secret military technology. What sounds like a scene from a James Bond movie is in fact what happened in March 2011 with the defense contractor Lockheed Martin.
While in this case not a backdoor per se was used, I still think it is a clear supply chain attack, leveraging on the trust towards a supposedly extra secure two factor authentication.
In 2018 Asus, the world’s fifth largest PC vendor, was hacked by what appears to be a Chinese hacker gang, specialized in supply chain attacks. “Operation ShadowHammer” infiltrated Asus’ software update servers undetected. The attackers manipulated ASUS’ software , signed the manipulated software with Asus’ legitimate certificate and distributed the software to Asus’ clients. With one single hack, Operation ShadowHammer opened a backdoor to numerous potential targets.
Operation ShadowHammer is another example for a supply chain attack that severely impairs trust into third parties. After all, software updates, much like two-factor authentications, are destined to increase cyber security and not deter it.
Not Petya is the best known and most devastating cyber attack in history. All started in 2017 with a popular Ukraine accounting software that was hacked by the Russian Military in the midst of the Ukraine separatist war. The hackers hijacked the accounting software’s update server and established backdoors into the network of every single user of this software.
Through these backdoors, the attackers unleashed a malware that spread automatically and devastatingly fast. Within a few hours, the malware hasn’t only spread to companies in the Ukraine but also - through their Ukraine offices - to large multinationals like the container shipping company Maersk or, ironically, the Russian oil company Rosneft.
Many believed originally that NotPetya was related to the ransomware attack Petya (hence the name). But it wasn’t. NotPetya was built to destroy and not to encrypt. According to the Whitehouse, the financial repercussions related to NotPetya amounted to around USD 10 billion. And NotPetya showed to the world, what harm cyber warfare can cause, also for companies and countries that were only collateral damage.
Protecting your company from supply chain attacks is not an easy task. In fact, attackers manage to stay in compromised networks for more than two hundred days in average before a company realizes that it has been breached. Adam Banks, Chief Technology and Information Officer at Maersk, put it at the Info Security Europe 2019 as follows:
“According to the director of the NSA, in the seven years he has been in the job, he has never launched an attack that hasn’t worked. But the assumption is that the same is true for the Chinese, the Russians and others. When a state targets an organization, it’s a 100% penetration rate, so organizations cannot assume perimeter security as a valid means of protection anymore. […] While organizations still need perimeter defenses to keep out amateur hackers and low-level cyber criminals, at the same time there is a need for some intelligence inside that perimeter to work out what is going on within corporate networks. Chances are, they are already in.”
How can supply chain attacks be detected?
Our security analytics software ExeonTrace is specialized in providing above mentioned “intelligence inside that perimeter to work out what is going on within corporate networks”. Analyzing what is happening inside the corporate network is crucial to detect and react to supply chain attacks because protective measures - like anti-virus software - will often not detect the custom-made malware used for supply chain attacks. However, by analyzing data flows and comparing activities to previously observed patterns, one can detect changes in communication behavior and raise alerts. For example, when a piece of software starts uploading ten times more data than it previously did and interacts with systems or services it never contacted before, this is a strong indicator for suspicious behavior that should be further investigated.
The figure below shows such a scenario from our lab. One can see in the graph that the client 192.168.10.17 (green circle in the center) interacts with many different services (red circles) on the server 192.168.10.50 (blue circle). Such a behavior patterns is automatically identified by the software and an alert is raised.
But companies do not have to sit and wait for the next attack to strike. One reason why the NotPetya attack wiped out Maersk’s complete IT infrastructure was their poor network segmentation. As a result, the attack could spread without further obstacles from its entry point towards the core of Maersk’s network. In a more segmented network, this wouldn’t have been so easy.
Graphs like the one above are not only a powerful tool to detect attacks, but they also allow you to understand your network’s regular communication. Knowing your regular communication patterns, you can segment your network without undercutting crucial business operations.
For more use cases and live insights, I suggest we schedule a private demo. Contact us!
Find additional articles on the topic here:
The Untold Story of NotPetya, the Most Devasting Cyberattack in History
I can only recommend this very well researched article on the NotPetya attack and how it crashed (or changed?) the world. Read full article