WASHINGTON (AP) – Elite Russian hackers who gained access to the computer systems of federal agencies last year did not bother to try to break into one by one the networks of each department.
Instead, they went inside introducing malicious code in a software update kicked out to thousands of government agencies and private companies.
Not surprisingly, hackers were able to exploit the vulnerabilities of what is known as the supply chain to launch a massive intelligence-gathering operation. U.S. officials and cybersecurity experts have sounded the alarm for years about a problem that has wreaked havoc, including billions of dollars in financial losses, but has challenged easy government and private sector solutions.
“We need to wrap our arms around the supply chain threat and find the solution, not just for us, in America, as the world’s leading economy, but for the planet,” said William Evanina, who resigned last week as the U.S. government’s chief counterintelligence chief said in an interview. “We need to find a way to make sure that in the future we can have a zero risk stance and trust our suppliers.”
In general terms, a supply chain refers to the network of people and companies involved in the development of a particular product, which is no different from a housing construction project that depends on a contractor and a network of subcontractors. The large number of steps in this process, from design to manufacturing to distribution, and the various entities involved give a hacker who seeks to infiltrate companies, agencies and infrastructure numerous points of entry.
This can mean that no company or executive has the sole responsibility to protect an entire supply chain in the industry. And even if most vendors in the chain are secure, a single point of vulnerability may be all that foreign government hackers need. In practical terms, owners who build a fortress-like mansion may find themselves victims of a compromised alarm system before installing it.
The most recent case targeting federal agencies involved Russian government hackers who are believed to have introduced malicious code into popular software that controls the computer networks of companies and governments. This product is manufactured by a Texas-based company called SolarWinds, which has thousands of customers in the federal government and the private sector.
This malicious software gave hackers remote access to the networks of various agencies. Among those known to have been affected are the departments of Commerce, Finance and Justice.
For hackers, the business model of directly targeting a supply chain is reasonable.
“If you want to default on 30 companies on Wall Street, why infringe on 30 companies on Wall Street (individually) when you can go to the server (the warehouse, the cloud) where all these companies contain their data? It’s smarter, more efficient and more efficient to do so, ”said Evanina.
While President Donald Trump showed little personal interest in cybersecurity, he even fired the head of the National Security Department’s cybersecurity agency. a few weeks before the Russian hack was revealed, President Joe Biden said he would make it a priority and impose costs on opponents carrying out attacks.
Protecting the supply chain will presumably be a key part of these efforts, and there is clearly work to be done. A report from the Government Accountability Office as of December, it was said that in reviewing the protocols of 23 agencies to assess and manage supply chain risks, it was found that only a few had implemented each of the seven “foundational practices” and 14 did not. had implemented none.
U.S. officials say responsibility cannot lie with government alone and involves coordination with private industry.
But the government has tried to take action, even through executive orders and rules. A provision in the National Defense Authorization Act prohibited federal agencies from contracting with companies that use goods or services from five Chinese companies, including Huawei. The government’s formal counterintelligence strategy made reducing supply chain threats one of the five basic pillars.
Perhaps the most well-known supply chain intrusion before SolarWinds is the NotPetya attack in which malicious code that Russian military pirates had planted was triggered by an automatic update of Ukrainian tax preparation software, called MeDoc This malware it infected its customers and the attack caused more than $ 10 billion in damage globally.
In September, the Justice Department charged five Chinese hackers who said he had compromised software vendors and then modified the source code to allow other hackers from vendor customers. In 2018, the department announced a similar case against two Chinese hackers accused of introducing cloud service providers and injecting malicious software.
“Anyone surprised by SolarWinds has not been paying attention,” said Rep. Jim Langevin, a Rhode Island Democrat and member of the Cyberspace Solarium Commission, a bipartisan group that issued a white paper calling for supply chain protection through a better intelligence and information sharing.
Part of the appeal of a supply chain attack is that it’s “a little hanging fruit,” said Brandon Valeriano, a cybersecurity expert at Marine Corps University. As a senior advisor to the solarium commission, he says the dispersion of the networks is not really known and that supply chain defects are not uncommon.
“The problem is we basically don’t know what we’re eating.” Said Valerian. “And sometimes it happens later that we drown something, and often we drown things.”
___
Follow Eric Tucker on Twitter at http://www.twitter.com/etuckerAP