Thursday, February 4, 2021

Don’t worry, Vlad. Your record’s safe.


There have been a number of news stories about the fact that the Chinese were able to exploit a vulnerability in SolarWinds Orion software to attack the US Dept. of Agriculture’s National Finance Center. Most of the articles have made it sound like the attack was déjà vu all over again: another supply chain attack on SolarWinds!

However, only a few articles (like this one) have gotten it right: This wasn’t a supply chain attack. This was just your garden-variety attack on software, in which some nefarious party exploits a vulnerability in software (and there are lots of vulnerabilities out there!) to penetrate an organization. The attack is on software that is already installed.

A supply chain attack on software usually starts long before the software is installed. In fact, in the case of the Russian attack on SolarWinds, it started about 15 months before the attack was discovered, while the software was being developed. The Russians planted the SUNBURST malware in updates to Orion, using the amazing SUNSPOT malware, which I described recently. This was the first stage of the attack.

The SUSNBURST malware then opened up a backdoor when the tainted update was installed on a customer’s network. It beaconed to the Russians that it was active, at which point they were able to exploit the backdoor to perform their dirty work. This was the second stage of the attack.

The big difference between the Russian and the Chinese attacks was that the latter was essentially equivalent to just the second stage. Both attacks exploited a vulnerability, but the vulnerability that the Chinese exploited existed in Orion before they attacked it. The vulnerability the Russians exploited was one they had placed there themselves. That’s why the vulnerability was called a backdoor.

If you read my post on SUNSPOT, you know that it was an exquisitely-designed piece of malware that rivaled Stuxnet. The Russians conducted a careful campaign that started with a proof of concept that placed a benign piece of code in a few Orion updates, just to make sure that could be done. Then they developed SUNSPOT and deployed it a few months later. After that, SUNSPOT had to run on its own for months inside the SolarWinds development environment, without any direct Russian intervention. Yet it was completely successful in placing SUNBURST in about seven or eight Orion updates.

Compared to the Russian campaign, the Chinese attack was a skirmish. The Russians penetrated maybe a few hundred targets (some very high value). They could presumably have penetrated another 17,750, since about 18,000 customers downloaded the tainted Orion updates, but they just didn’t have the time. Meanwhile, the Chinese penetrated one Orion customer: an agency inside USDA. Do you see the immense power of a supply chain attack, vs. a garden-variety software attack?

I’ve said at least twice (here and here) that Uncle Vlad is the king of supply chain attacks. The Chinese will never displace him!

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

 

No comments:

Post a Comment