Supply chain security: How third-party vendors may compromise your IT security

Sunburst set a significant precedent that is unlikely to be forgotten quickly: attackers can swiftly penetrate thousands of foreign networks, inserting backdoors and new malware through supply chain attacks. In this discussion, we will highlight the dangers of supply chain attacks and outline the steps you can take to prevent them.

In 2019, Steven Adair, president of the IT security company Volexity, made a groundbreaking discovery: During a routine investigation of a hacker attack on an American think tank, his team tracked down two groups of attackers who had infiltrated the network. 

“Dark Halo”: How the hacker group fooled IT experts

While the first group of hackers could be expelled easily and permanently, the second group, which Adair named "Dark Halo, " proved to be far more persistent and sophisticated. Its members returned even after security specialists hunted them down in the think tank's network.

For a week, attackers and defenders engaged in a game of cat-and-mouse until the experts at Volexity discovered the server through which the criminals had continually penetrated the network. IT administrators at the targeted organization had installed network management software on the server – the rest of the story soon made headlines worldwide.

Sunburst: SolarWinds hack infects over 18,000 organizations worldwide

The software used by the think tank was provided by the company Solarwinds. Around the same time, a similar cyber attack was discovered at the US Department of Justice, which also originated from a server with a Solarwinds solution – in this case, only a trial version. Initially, the security experts suspected one of the common vulnerabilities in the application that allows attackers to gain access to third-party networks. However, even alongside the developers of Solarwinds, they did not identify a vulnerability that could have enabled the attacks.

It took six months for investigators to track down the attackers. In the meantime, "Dark Halo" had already targeted numerous other high-profile organizations, including the US Department of Defense, the Department of Homeland Security, and companies such as Microsoft, Intel, Cisco, and Palo Alto Networks. As it turned out, the hackers had placed a backdoor called “Sunburst” in SolarWinds' Orion network management software. Through this backdoor, they gained covert access to the systems and networks of Orion users and captured data. 

To this day, nobody knows exactly how extensive the damage caused by "Sunburst" is worldwide. Estimates suggest that up to 18,000 companies and organizations have been affected. Spying was conducted through a backdoor, and additional malicious software was also smuggled in.

Supply Chain Attacks: A treacherous pathway to target networks

Experts regard the SolarWinds hack as "the largest cyberattack in years. " "Sunburst" serves as a prime example of so-called supply chain attacks, where cybercriminals no longer directly target their victims. Instead, they access the target networks by taking a detour.

Instead of seeking vulnerabilities in target systems, today's attackers prefer to compromise the software of supposedly trusted third-party providers. The SolarWinds case impressively illustrates that even reputable solutions, widely used and considered safe, can be impacted. Attackers can then exploit backdoors to install additional malicious code on victims' systems while masquerading as an update system. On several occasions, IT security tools intended to protect users have even been misused for this purpose.

The fatal flaw: In today's interconnected business environment, nearly all companies rely on partners and suppliers – few can fully operate without external solutions. Many applications now largely consist of components, libraries, and frameworks that are often freely available on platforms like GitHub. For hackers, these interconnected systems are advantageous; they significantly ease the process of infiltrating external networks. Due to the extensive use of third-party code, attackers no longer struggle to identify vulnerabilities in firewalls. All they need is to discover a flaw in a third-party component to gain access.

Zero Trust: How to stop attacks on your supply chain

The most effective protection against supply chain attacks is to limit the attack surface. This means companies should only use the solutions and services that they truly cannot do without. Additionally, they must maintain control over how these applications are used in operations at all times. 

There are now established techniques and concepts for this, and the Zero Trust model is considered particularly significant. In principle, networks should not trust anyone – whether internal or external. The golden rule is this: anything not expressly permitted is prohibited. Specifically, this means you must continuously monitor and control all access and activities within your networks. You should only assign authorizations specifically and for a limited time based on the principle of Least Privilege principle.

Zero Trust is ideal for combining with solutions that ensure secure remote connections. This means your employees, partners, and suppliers always have protected access to the resources they need – regardless of their location. Continuous monitoring of all activities in your networks is essential. Solutions like intrusion detection/prevention systems or Security Information and Event Management (SIEM) also play a valuable role. IDS/IPS and SIEM alert users when they detect suspicious anomalies, such as connections to unknown IP addresses, sudden data spikes, or frequent system crashes.

With the NCP solution portfolio, your organization is well-prepared to defend against sophisticated supply chain attacks. Our management software provides full control and transparency over which users, groups, and applications are permitted to access specific network resources. Learn more about how NCP's Zero Trust effectively safeguards you from supply chain attacks:

The perfect building block for your Zero Trust concept