It was more more than two months after revelations that alleged Russian-backed hackers entered the IT management company SolarWinds and used that access to launch a massive attack on the software supply chain. It seems that Russia was not alone; Reuters reports that Chinese suspected hackers independently exploited a different defect in SolarWinds products last year, at about the same time, apparently hitting the US Department of Agriculture’s National Finance Center.
SolarWinds fixed the vulnerability in December that alleged hackers in China exploited. But the revelation highlights the seemingly impossible task organizations face when dealing not only with their own security issues, but also with the potential exposure of the countless third-party companies they partner with for services ranging from IT management to data storage to chat. the office. In today’s interconnected landscape, you are as strong as the weakest provider.
“It’s unrealistic not to depend on third parties,” says Katie Nickels, intelligence director at security firm Red Canary. “It simply came to our notice then. But what I saw in the first week or two, even after the initial SolarWinds revelations, was that some organizations are just trying to figure out if they even use SolarWinds products. So I think the change has to be about knowing these addictions and understanding how they should and shouldn’t interact. ”
SolarWinds points out that, unlike Russian hackers, who used their access to SolarWinds to infiltrate targets, Chinese hackers exploited the vulnerability only after they had already entered a network through other means. Then they used the defect to get more bored. “We are aware of a case where this is happening and there is no reason to believe that these attackers were in the SolarWinds environment at any time,” the company said in a statement. “This is separate from the broad and sophisticated attack that has targeted several software companies as vectors.” The USDA did not return a request for comment.
The ubiquity of programs such as Microsoft Windows or, until recently, Adobe Flash, makes them popular targets for a wide variety of hackers. Being a company that is over two decades old and has a large customer base – including a large number of government contracts in the United States and abroad – SolarWinds makes perfect sense for hackers. But SolarWinds is also just one of a multitude of enterprise tools and IT management services that companies need to run constantly and simultaneously. Each represents a foreign potential for attackers.
“I have hundreds of different vendors that we use, from Microsoft, to Box, Zoom, Slack and so on. It only takes one, ”said Marcin Kleczynski, CEO of antivirus maker Malwarebytes, which revealed in January that it had been the victim of alleged Russian piracy. “It’s a Catch-22. Rely on a provider and you are wrong if they are hit. Rely on multiples and all you need is one. Rely on the big seas and face the consequences that they are the most targeted. Rely on small brands and face the consequences of not investing in security yet. ”
Malwarebytes illustrates this tension in another key way; Russian hackers who compromised it entered by a method other than SolarWinds. Brandon Wales, Acting Director of the Cyber Security and Infrastructure Security Agency of the Department of Homeland Security, said The Wall Street Journal In January, hackers “gained access to their targets in a variety of ways.” You can defend your treasure by hiding it in a castle on a mountain surrounded by a large wall and a ditch full of alligators or you can scatter it around the world in strong but discreet locking boxes. Both approaches call for their own set of risks.