There have been a number of news stories about the fact that the Chinese were able to exploit a vulnerability in SolarWinds Orion software to attack the US Dept. of Agriculture’s National Finance Center. Most of the articles have made it sound like the attack was déjà vu all over again: another supply chain attack on SolarWinds!
However, only a few articles (like
this one)
have gotten it right: This wasn’t a supply chain attack. This was just your
garden-variety attack on software, in which some nefarious party exploits a
vulnerability in software (and there are lots of vulnerabilities out there!) to
penetrate an organization. The attack is on software that is already installed.
A supply chain attack on software
usually starts long before the software is installed. In fact, in the case of
the Russian attack on SolarWinds, it started about 15 months before the attack
was discovered, while the software was being developed. The Russians planted the
SUNBURST malware in updates to Orion, using the amazing SUNSPOT malware, which
I described recently.
This was the first stage of the attack.
The SUSNBURST malware then opened
up a backdoor when the tainted update was installed on a customer’s network. It
beaconed to the Russians that it was active, at which point they were able to exploit
the backdoor to perform their dirty work. This was the second stage of the
attack.
The big difference between the Russian
and the Chinese attacks was that the latter was essentially equivalent to just
the second stage. Both attacks exploited a vulnerability, but the vulnerability
that the Chinese exploited existed in Orion before they attacked it. The vulnerability
the Russians exploited was one they had placed there themselves. That’s why the
vulnerability was called a backdoor.
If you read my post on SUNSPOT,
you know that it was an exquisitely-designed piece of malware that rivaled
Stuxnet. The Russians conducted a careful campaign that started with a proof of
concept that placed a benign piece of code in a few Orion updates, just to make
sure that could be done. Then they developed SUNSPOT and deployed it a few
months later. After that, SUNSPOT had to run on its own for months inside the
SolarWinds development environment, without any direct Russian intervention.
Yet it was completely successful in placing SUNBURST in about seven or eight
Orion updates.
Compared to the Russian campaign, the
Chinese attack was a skirmish. The Russians penetrated maybe a few hundred
targets (some very high value). They could presumably have penetrated another 17,750,
since about 18,000 customers downloaded the tainted Orion updates, but they just
didn’t have the time. Meanwhile, the Chinese penetrated one Orion customer: an
agency inside USDA. Do you see the immense power of a supply chain attack, vs.
a garden-variety software attack?
I’ve said at least twice (here
and here)
that Uncle Vlad is the king of supply chain attacks. The Chinese will never
displace him!
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would
love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment