It has been more more than two months since the revelations of alleged Russian-backed hackers broke into IT management company SolarWinds and used that access to launch a massive attack on the software supply chain. Now it seems that Russia was not alone; Reuters reports that alleged Chinese hackers independently exploited a different flaw in SolarWinds products last year almost at the same time, apparently arriving at the U.S. Department of Agriculture’s National Finance Center.
SolarWinds fixed the vulnerability in December that was exploited by alleged Chinese hackers. But the revelation underscores the seemingly impossible task organizations face in addressing not only their own security issues, but the potential exposure of the countless third-party companies they partner with for services ranging from management. from IT to data storage and office chat. In the current interconnected landscape, you are only as strong as your weakest provider.
“It’s unrealistic not to depend on third parties,” says Katie Nickels, intelligence director at security firm Red Canary. “The way a network is run is simply unrealistic. But what we saw during the first week or two, even after the initial SolarWinds revelations, was some organizations just trying to figure out if they even use SolarWinds products. Therefore, I believe that the change must be to know these dependencies and understand how they should interact and not ”.
SolarWinds points out that, unlike Russian hackers, who used their access to SolarWinds to infiltrate targets, Chinese hackers only exploited the vulnerability after breaking into a network by other means. Then they used the defect to dig deeper. “We are aware of a case happening and there is no reason to believe that these attackers were inside the SolarWinds environment at any time,” the company said in a statement. “This is separate from the broad and sophisticated attack that targeted several software companies as vectors.” The USDA did not submit any requests for comment.
The ubiquity of software such as Microsoft Windows or, until recently, Adobe Flash, makes them popular targets for a wide variety of hackers. SolarWinds is a company with more than two decades of experience and a large customer base, including a large number of government contracts in the United States and abroad. But SolarWinds is also just a multitude of business tools and IT management services that companies need to run constantly and simultaneously. Each represents a potential for attackers.
“I have hundreds of different vendors that we use, from Microsoft to Box, Zoom, Slack, etc. It only takes one, “says Marcin Kleczynski, CEO of antivirus maker Malwarebytes, which revealed in January that it had been the victim of alleged Russian piracy.” It’s a Catch-22. “Trust multiple and only one. Trust the big brands and deal with the consequences that are the most objective. Trust the small brands and deal with the consequences that do not yet invest in safety.”
Malwarebytes illustrates this otherwise key tension; the Russian hackers who committed it got a different method from SolarWinds. Said Brandon Wales, Acting Director of the Department of Homeland Security’s Cyber Security and Infrastructure Security Agency The Wall Street Journal in January, hackers “gained access to their targets in various ways.” You can defend your treasure by hiding it in a castle on a mountain surrounded by a great wall and a moat full of alligators, or you can scatter it all over the world in safe but unobtrusive boxes. Both approaches invite their own set of risks.