In the immediate aftermath of the
SolarWinds attacks being announced in December 2020, I wrote a post based on a New York Times article I’d just read
(although the day I wrote the post, January 6, 2021, turned out to be in the
news for another reason). The article intimated that V. Putin & Co. had
pulled off another audacious supply chain attack; it was supposedly achieved by
compromising a software development product called TeamCity, that is sold by
the company JetBrains. That company was founded by three Russian software
developers in Prague; however, it still has operations in Russia.
In my post, I unfortunately stated
that it was possible that the SolarWinds attack had been perpetrated by the
Russians, working through a compromised copy of JetBrains in use by SolarWinds
(which is a user of JetBrains, along with many other software developers such
as Siemens, Google, Hewlett-Packard and Citibank). That hadn’t been explicitly
stated in the NYT article, and I was remiss for not reading it carefully
enough.
Two
weeks later (and a few days after I’d put up
another post that made the same suggestion), I received a politely worded email
from a person in Moscow who represents JetBrains. They pointed out that there
was no evidence that TeamCity had been the launch point for the SolarWinds attack
and asked that I apologize. Of course, I apologized in my post.
However, yesterday, almost three
years after that exchange, I was very disappointed to learn that what I mistakenly stated three years ago has now come
to pass: JetBrains instances have been compromised recently, most likely to
launch supply chain attacks on customers of JetBrains’ software developer customers
(which would presumably follow something like the model of the SolarWinds
attacks). The Russian Foreign Intelligence Service (SVR) is now exploiting a
critical vulnerability that JetBrains has issued a patch for, which – of course
– hasn’t been universally applied. More than 100 devices running JetBrains have
been compromised, although so far the attackers haven’t launched any supply
chain attacks. And just for good measure, it seems the North Koreans are attacking
the same vulnerability.
In neither of these two incidents
did JetBrains do anything wrong, other than perhaps the fact that the founders
of the company didn’t carefully choose the country they would be born in. Let
that be a lesson to us all!
Quite sad.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have
read here, I would love to hear from you. Please email me at tom@tomalrich.com.
I lead the OWASP SBOM Forum. If
you would like to join or contribute to our group, please go here, or email me with any questions.
No comments:
Post a Comment