WASHINGTON (AP) – Russian elite hackers who gained access to the computer systems of the federal agencies last year did not bother to try to enter in turn the networks of each department.
Instead, they entered the malicious code into a software update pushed to thousands of government agencies and private companies.
Not surprisingly, hackers have managed to exploit vulnerabilities in what is known as the supply chain to launch a massive intelligence-gathering operation. U.S. officials and cybersecurity experts have sounded the alarm for years about a problem that has wreaked havoc, including billions of dollars in financial losses, but defied easy solutions from the government and the private sector.
“We will have to wrap our arms around the supply chain threat and find the solution, not only for us here in America as the world’s leading economy, but also for the planet,” said William Evanina, who resigned last week after as the US government’s top counterintelligence official said in an interview. “We need to find a way to make sure we can have a zero-risk stance in the future and trust our suppliers.”
In general terms, a supply chain refers to the network of people and companies involved in the development of a particular product, which is no different from a housing construction project that is based on a contractor and a network of subcontractors. The large number of steps in this process, from design to production and distribution, as well as the various entities involved provide a hacker looking to infiltrate companies, agencies and infrastructure numerous entry points.
This may mean that no single company or executive bears sole responsibility for protecting an entire supply chain in the industry. And even if most suppliers in the chain are safe, a single point of vulnerability may be all that foreign government hackers need. In practical terms, however, homeowners who build a fortress-like mansion may find themselves victims of an alarm system that was compromised before it was installed.
The most recent case involving federal agencies involved Russian government hackers who are believed to have introduced malicious code into popular software that monitors corporate and government computer networks. This product is manufactured by a Texas company called SolarWinds, which has thousands of customers in the federal government and the private sector.
This malware has given hackers remote access to the networks of several agencies. Among those known to have been affected are the trade, treasury and justice departments.
For hackers, the business model of directly targeting a supply chain is sensitive.
“If you want to violate 30 Wall Street companies, why violate 30 Wall Street companies (individually) when you can go to the server – the repository, the cloud – where all those companies keep their data? It’s simply smarter, more efficient, more efficient to do that, “said Evanina.
Although President Donald Trump has shown little personal interest in cybersecurity, he has even fired the head of the Department of Homeland Security’s cybersecurity agency. just weeks before the unveiling of the Russian hack, President Joe Biden said he would make it a priority and impose costs on attacking opponents.
Protecting the supply chain is likely to be an essential part of these efforts and is clear. A report from the Government Accountability Office in December it said that a review of the protocols of 23 supply chain risk assessment and management agencies found that only a few had implemented each of the seven “core practices” and 14 had not implemented any.
US officials say the responsibility cannot lie with the government and must involve coordination with private industry.
But the government has tried to take action, including through executive orders and rules. A provision in the National Defense Authorization Act prohibited federal agencies from contracting with companies that use goods or services from five Chinese companies, including Huawei. The government’s official counterintelligence strategy has made reducing supply chain threats one of the five basic pillars.
Perhaps the most well-known intrusion into the supply chain before SolarWinds is the NotPetya attack in which malicious code was unleashed by Russian military hackers through an automatic update of Ukrainian tax preparation software, called MeDoc. infected customers, and the attack generally caused more than $ 10 billion in damage globally.
In September, the Justice Department charged five Chinese hackers which he said compromised the software vendors and then modified the source code to allow other vendor customer hacks. In 2018, the department announced a similar case against two Chinese hackers accused of breaking into cloud service providers and injecting malicious software.
“Anyone surprised by SolarWinds was not careful,” said Jim Langevin, a Democrat from Rhode Island and a member of the Cyberspace Solar Commission, a bipartisan group that issued a white paper calling for supply chain protection through a good information and information exchange.
Part of the appeal of a supply chain attack is that it is “a low-suspension fruit,” said Brandon Valeriano, a cybersecurity expert at Marine Corps University. A senior adviser to the solar commission says it is not really known how scattered the networks are and that supply chain defects are not uncommon.
“The problem is, we don’t really know what we’re eating.” Said Valerian. “And sometimes it happens later that we choke on something – and often we choke on things.”
___
Follow Eric Tucker on Twitter at http://www.twitter.com/etuckerAP