Serg Nvns - Fotolia

Hackers targeting software supply chains, US report warns

A US government report on cyber espionage by China, Russia and Iran says software supply chains are increasingly under attack

Software supply chain infiltration has already threatened the critical infrastructure sector and could threaten other sectors as well, according to a report by the US National Counterintelligence and Security Center (NCSC).

“Foreign intelligence services – and threat actors working on their behalf – continue to represent the most persistent and pervasive cyber intelligence threat,” said the Foreign economic espionage in cyberspace report.

The report said China, Russia and Iran “stand out as three of the most capable and active cyber actors tied to economic espionage”, highlighting several cyber operations based in the three countries that have threatened US firms and interests.

Despite the accord struck between the US and China in 2015 to stop conducting cyber-enabled economic espionage, the report said that although there has been less espionage activity, China “continues to use cyber espionage to support its strategic development goals – science and technology advancement, military modernisation, and economic policy objectives”.

China, Russia and Iran are expected to remain “aggressive and capable” collectors of sensitive US economic information and technologies, particularly in cyber space, the report said. “All will almost certainly continue to deploy significant resources and a wide array of tactics to acquire intellectual property and proprietary information,” it added.

Software supply chain infiltration is a threat that warrants attention, the report said, noting that 2017 was a “watershed” in the reporting of software supply chain operations, with seven significant events being reported in the public domain, compared with only four between 2014 and 2016.

As the number of events increases, the potential impacts also increase, the report said. “Hackers are clearly targeting software supply chains to achieve a range of potential effects to include cyber espionage, organisational disruption, or demonstrable financial impact,” it said.

The report cited several key incidents of software supply chain infiltration, including malicious code injected into Avast-owned Piriform CCleaner software prior to release in a supply chain compromise that targeted 18 companies but infected 2.2 million CCleaner customers worldwide with a backdoor.

In 2017, hackers also corrupted software distributed by South Korean firm Netsarang, which sells enterprise and network management tools. The backdoor enabled downloading of further malware or theft of information from hundreds of companies in energy, financial services, manufacturing, pharmaceuticals, telecommunications and transportation industries.

The case that had the most impact was when a version of Ukrainian accounting software M.E. Doc was infected with a backdoor to deliver a destructive payload disguised as ransomware. The attack, widely known as NotPetya, was attributed to Russia and paralysed networks worldwide, shutting down or affecting the operations of banks, companies, transportation and utilities. The attack cost FedEx and Maersk about $300m each.

Read more about supply chain security

  • MoD to focus on SMEs to raise supply chain cyber security.
  • Business is increasingly recognising the importance of information security, but security within supply chains is still widely overlooked.
  • A comprehensive security strategy must include the supply chain.
  • The UK government will require IT suppliers to comply with the five security controls laid out in its Cyber Essentials Scheme.

The report also cited as an example of software supply chain infiltration the malware operation dubbed Kingslayer, which targeted system administrator accounts associated with US firms to steal credentials in order to breach the system and replace the legitimate application and updates with a malicious version containing an embedded backdoor.

Although it is not known which and how many firms were ultimately infected, the report said at least one US defence contractor was targeted and compromised.

Earlier this week, cyber security firm Crowdstrike published a report that suggested software supply chain attacks have the potential to become one of the biggest cyber threats in the next few years, with two-thirds of respondents admitting they had been the victim of a software supply chain attack.

Most (90%) of those targeted confirmed that they had incurred financial cost as a result, with the average cost of an attack being more than $1.1m.

The study, Securing the supply chain, surveyed 1,300 senior IT decision-makers and IT security professionals in the US, Canada, the UK, Mexico, Australia, Germany, Japan and Singapore, across a wide range of industries.

But despite almost 90% of respondents saying they believe that over the next three years, software supply chain attacks could pose one of their biggest cyber threats, only one-third of respondents said they are vetting all their suppliers and even fewer feel their organisations are sufficiently prepared to mitigate the risks of a software supply chain attack.

Supply chain attacks are increasingly becoming a business-critical issue, the Crowdstrike study said, impacting crucial relationships with partners and suppliers.

“However, as the survey reveals, organisations lack the knowledge, tools and technology they need to be adequately protected,” it said.

“Along with rigorously assessing the software supply chain suppliers they use, organisations need to close the security gaps that are making them vulnerable to attack. This requires employing effective prevention, detection and response technologies.”

Read more on Hackers and cybercrime prevention