Supply Chain Security Awareness Part 1: Risk Factors


Posted on

The global forces that brought SolarWinds to its knees

What do the US-China trade wars, COVID-19 pandemic, SolarWinds breach and Suez Canal blockage have in common? Rewind to last year’s RSA Conference, and few could make the connection (especially considering most events hadn’t yet happened).

But this year, it’s not just the risk officers, procurement professionals and CISOs who know that the incidents above caused tremendous damage to the global supply chain. In fact, the entire security industry has had to face the music on supply chain risk over the past year—from geopolitical influence to sophisticated cyberattack—and it’s not going away anytime soon.

Case in point: Supply chain security stole the spotlight at RSA Conference 2021. With a keynote from the CEO of SolarWinds, supply chain sandbox games and sessions on developing SBOMs and DBOMs, no supply chain stone was left unturned.

So what did we learn? What have the past 14 months taught security and business professionals about the risks inherent in their supply chain biz model? To start, we’ll look at what exactly happened in the SolarWinds attack. How were the threat actors able to penetrate their network and compromise over 17,000 clients? Which factors played a part in elevating supply chain risk to a fever pitch?

Time to dive into Part 1 of our three-part series on supply chain security.

Anatomy of the SolarWinds attack

On December 12, 2020, SolarWinds learned about a breach in their Orion platform, a popular network and applications monitoring tool serving the Fortune 500, higher education, government agencies and thousands of other organizations. Little did they know how deep adversaries had penetrated—nor did they realize how far back the attack truly began.

Just three days prior to learning of the breach, SolarWinds had announced Sudhakar Ramakrishna as their CEO. With industry insiders encouraging him to seek greener pastures, Ramakrishna stayed put as SolarWinds was battered by fallout from an attack that likely leveraged a virtual army of special ops assailants—namely, Russia’s SVR—dedicated to performing delicate hacks and stealthy cyber reconnaissance.

It’s largely believed that Russian threat actors accessed SolarWinds on September 4, 2019, (though Marco Figueroa, Principal Threat Researcher at SentinelOne, told RSAC attendees it was likely much earlier) and began an extended period of recon and Q/A testing. Once the Orion platform was compromised, threat actors had access to the entire environment’s API keys. Those keys allowed attackers full admin privileges with the ability to defeat two-factor authentication, turn controls on or off, add implants and steal source code.

Threat actors didn’t drop the Sunburst payload until February 2020, at least five months after accessing SolarWinds’ network. The injected code was deployed to victim organizations via trojanized updates to the Orion software. It remained dormant for 12–14 days, checking for developer tools and security products, and then proceeded with malicious activity. The attackers knew how to defeat many security programs by understanding their weaknesses and bypassing them. There were no zero-days reported.

“The tradecraft that the attackers used was extremely sophisticated,” said Ramakrishna. “They did everything possible to hide in plain sight. Given the amount of time they spent and the delicacy in their efforts, they were able to cover their tracks every step of the way. And given the resources of a nation-state against one company, it was very difficult to uncover.”

The breach was so extensive that SolarWinds would not be able to unpack it alone. Security researchers across disciplines, public and private sectors and even at competing vendors came together to try and solve the problem. Investigators are still piecing together the answers, while Ramakrishna remains at SolarWinds, building back “one customer, one day at a time.”

Supply chain risk factors

As the SolarWinds breach was underway, global supply chains elsewhere were pelted with an ongoing barrage of volatility: the COVID-19 pandemic dramatically shifted demand while pushing employees out of traditional office infrastructures and into their homes, growing trade conflicts rendered supply chain hardware and software at risk of weaponization, and significant changes in industrial regulation heaped expensive penalties and restrictions on already-stressed businesses.

In other words, conditions were ripe for cybercriminals to wreak havoc. While organizations sweated disruptions to actual supplies on the supply chain, security teams around the world—including those at SolarWinds—missed the big red flag of data access risk by adversaries all too happy to compromise third- or fourth-tier suppliers to get to the big game.

Meanwhile, for organizations dependent on suppliers (all of them), the hurricane of uncertain market forces and economic turmoil was strengthened by an increasing number of cyberattacks.

In 2020, the FBI received 4,000 cyberattack complaints per day, a 400 percent increase from the previous year. First, there were phishing and disinformation campaigns aimed at spreading fear about COVID-19. Then the tides turned to ransomware—a veritable tsunami of ransomware and extortion greater in frequency, sophistication and cost than we’d witnessed before.

“This particular year, there were so many different incidents that you had to adapt week-to-week,” said Mike Brannon, Director, Infrastructure & Security at National Gypsum Company. “We started referring to Thursdays as ‘hollowed out shell day’ because we were running so low on resources.”

RSAC 2021 laid bare the difficult year for all of us in supply chain cybersecurity and beyond. Yet amid the turmoil were superhuman feats of courage, collaboration and innovation. Tune in for Part 2 of this series to learn how the cybersecurity industry responded and what experts recommend for organizations to shore up supply chain security today.

Hackers & Threats

hackers & threats supply chain

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community