It’s more more than two months since the revelations that suspected Russian-backed hackers broke into the SolarWinds IT management company, and used this access to launch a massive attack on the software supply chain. It now seems that Russia was not alone; Reuters reports that suspected Chinese hackers independently exploited a different flaw in SolarWinds products last year around the same time, apparently hitting the National Finance Center of the United States Department of Agriculture.
SolarWinds fixed the vulnerability in December that alleged Chinese hackers were exploiting. But the revelation underscores the seemingly impossible task organizations face in addressing not only their own security concerns, but also the potential exposure of the countless third-party companies they partner with for services ranging from management from IT to data storage to intra-office chat. In today’s interconnected landscape, you are as strong as your weakest supplier.
“It is unrealistic not to depend on any third party,” says Katie Nickels, chief intelligence officer of security firm Red Canary. “The way a network is managed is just not realistic. But what we saw during the first week or two, even after the initial SolarWinds disclosures, was that some organizations were just trying to determine if they were even using SolarWinds products. So I think the change has to be knowing these addictions and understanding how they should and shouldn’t interact.
SolarWinds points out that unlike Russian hackers, who used their access to SolarWinds to infiltrate targets, Chinese hackers only exploited the vulnerability after they had already penetrated a network by other means. They then used the fault to dig deeper. “We are aware of an example of what happened and there is no reason to believe that these attackers were in the SolarWinds environment at all times,” the company said in a statement. “This is distinct from the large and sophisticated attack that targeted several software companies as vectors.” The USDA did not return a request for comment.
The ubiquity of software like Microsoft Windows or, until recently, Adobe Flash, makes them popular targets for a wide variety of hackers. As a company that is over two decades old and has a large customer base – including a large number of government contracts in the United States and overseas – SolarWinds makes perfect sense for hackers. But SolarWinds is just one of the many business tools and IT management services that businesses need to run continuously and simultaneously. Each represents a potential breakthrough for attackers.
“I have hundreds of different providers that we use, from Microsoft to Box, Zoom, Slack, etc. You only need one, ”said Marcin Kleczynski, CEO of antivirus maker Malwarebytes, who revealed in January that he had been the victim of the alleged Russian hacking frenzy. “It’s a catch-22. Trust a supplier and you’re screwed if he gets hit. Rely on several and all it takes is one. Rely on the big brands and face the consequences that they are the most targeted. Rely on small brands and face the consequences that they do not yet invest in safety. “
Malwarebytes illustrates this tension in another key way; Russian hackers who compromised it entered through a method other than SolarWinds. Brandon Wales, Acting Director of the Cybersecurity and Infrastructure Security Agency, Department of Homeland Security, Told The Wall Street Journal in January, that hackers “gained access to their targets in different ways.” You can defend your treasure by hiding it in a castle on a mountain surrounded by a large wall and an alligator-filled moat, or you can scatter it around the world in strong but discreet chests. Both approaches invite their own set of risks.