It's been more than two months since revelations that alleged Russia-backed hackers broke into the IT management firm SolarWinds and used that access to launch a massive software supply chain attack. It now appears that Russia wasn't alone; Reuters reports that suspected Chinese hackers independently exploited a different flaw in SolarWinds products last year at around the same time, apparently hitting the US Department of Agriculture's National Finance Center.
SolarWinds patched the vulnerability in December that the alleged China hackers exploited. But the revelation underscores the seemingly impossible task that organizations face in dealing with not only their own security issues but also potential exposure from the countless third-party companies they partner with for services that range from IT management to data storage to office chat. In today's interconnected landscape, you're only as strong as your weakest vendor.
“It’s not realistic to not depend on any third parties,” says Katie Nickels, director of intelligence at the security firm Red Canary. “It’s just not realistic the way any network is run. But what we saw for the first week or two, even after the initial SolarWinds revelations, was some organizations just trying to figure out whether they even use SolarWinds products. So I think the shift has to be to knowing those dependencies and understanding how they should and shouldn’t be interacting.”
SolarWinds emphasizes that, unlike the Russian hackers, who used their access to SolarWinds to infiltrate targets, the Chinese hackers exploited the vulnerability only after already breaking into a network by some other means. They then used the flaw to bore deeper. “We are aware of one instance of this happening, and there is no reason to believe these attackers were inside the SolarWinds environment at any time,” the company said in a statement. “This is separate from the broad and sophisticated attack that targeted multiple software companies as vectors."
A USDA spokesperson said in a statement that the agency removed SolarWinds Orion products from its networks in December per an emergency directive from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. “While we continue to look into it, we have no evidence of a data breach of the USDA National Finance Center,” the spokesperson said.
The ubiquity of software like Microsoft Windows or, until recently, Adobe Flash makes them popular targets for a wide variety of hackers. As a company that’s more than two decades old and has a big customer base—including a large number of government contracts in the United States and abroad—SolarWinds makes perfect sense for hackers to prod. But SolarWinds is also just one of a multitude of enterprise tools and IT management services that companies need to run constantly and simultaneously. Each represents a potential inroad for attackers.
“I’ve got hundreds of different vendors we use, from Microsoft to Box, Zoom, Slack, and so on. It only takes one,” says Marcin Kleczynski, CEO of the antivirus maker Malwarebytes, which disclosed in January that it had been a victim of the suspected Russian hacking spree. “It’s a catch-22. Rely on one vendor and you’re screwed if they get hit. Rely on multiple and all it takes is one. Rely on the big brands and deal with the consequences that they’re the most targeted. Rely on the small brands and deal with the consequences that they’re not yet investing in security.”
Malwarebytes is illustrative of that tension in another key way; the Russian hackers who compromised it got in through a method other than SolarWinds. Brandon Wales, acting director of CISA, told The Wall Street Journal in January that the hackers “gained access to their targets in a variety of ways.” You can defend your treasure by hiding it in a castle on a mountain surrounded by a big wall and an alligator-filled moat, or you can scatter it around the world in strong but inconspicuous lockboxes. Both approaches invite their own set of risks.
Even before SolarWinds, supply chain attacks have wreaked havoc on a wide range of companies. In 2018, the Justice Department detailed how Chinese hackers allegedly compromised so-called managed service providers—companies that provide IT infrastructure—and leapfrogged into the networks of dozens of victim companies. It’s also not unusual for multiple actors to compromise the same systems or devices; some targets have obvious intelligence value. Take the Democratic National Committee, which two separate Russian hacking groups breached in 2016. But knowing that doesn't make defending against it any easier.
“It presents quite a challenge when you see two sets of activity on a single box,” Red Canary's Nickels says. “But one of the most basic things defenders have recommended for decades is that people have an asset inventory. So if more organizations just have a nice, concise list of all the third-party providers they use because of this, that in itself would be a great outcome.”
There's no obvious solution to the threat that widespread reliance on third-party providers poses to companies small and large alike. But in many cases, even knowing who you're working with—and what their products can access—would be a good place to start.
Updated Wednesday, February 2, 2021 at 11:15am ET to include comment from USDA.
- 📩 The latest on tech, science, and more: Get our newsletters!
- Fleeing WhatsApp for better privacy? Don't turn to Telegram
- The case for cannibalism, or: How to survive the Donner Party
- A new way to trace the history of sci-fi’s made-up words
- Stop ignoring the evidence on Covid-19 treatments
- The best tablets for work and play
- 🎮 WIRED Games: Get the latest tips, reviews, and more
- ✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses to smart speakers
