What Just Happened?!

Millions invested in the latest security technologies? Check.

Your team trained on information security best practices? Check.

Passed a third-party review of your security architecture? Check.

So, how the hell were hundreds of your servers’ hard drives just destroyed by malware within minutes?! That’s exactly what your CEO, your Board and your investors all want to know. Now. (You have some time before the press start calling.)

I’m sure this is how a number of Chief Information Security Officers (CISOs) felt when their companies were impacted by the Nyetya/NotPetya malware attack in June. (The Nyetya attack only took 3.5 hours from beginning to end.) And I’d wager a similar sense of dread was felt when a backdoor was discovered in a certain version of the popular CCleaner utility. Luckily, there have been no known attacks results from the CCleaner compromise as of the time of this writing.

Despite the different outcomes, both attacks are examples of an effective and insidious type of attack known as a supply chain attack.

The Supply Chain Attack

Supply chain attacks focus on exploiting trust. A threat actor will compromise one or more components of a trusted development or delivery process. Such an attack could manifest itself through counterfeit chips, say, used in production of a computer or networking hardware. Or, the attack could introduce compromised code in a trusted software application as was done in both the Nyetya and CCleaner attacks. A number of scenarios and methods could be possible, but the net of it is, these attacks use trusted channels to infiltrate their targets.

Who Conducts These Attacks and Why?

I need to be clear about something from the outset: Attribution is hard. There are many ways that attackers can cover their tracks and misdirect investigators. That being said, there are characteristics that can indicate different types of threat actors such as nation-states or organized crime, for example. Certain threat actors may even re-use unique styles of code. Regardless, attribution is very difficult, nuanced work, and a margin of error must always be considered.

Consider that supply chain attacks are sophisticated. The stereotypical kid in the basement isn’t going to pull this off. Supply chain attacks require ample time for target reconnaissance to identify that weak link and then to infiltrate the target’s environment. They require skilled coders to develop an attack that mimics the target’s processes and to remain undetected. With those steps complete, the attacker can then focus on the exploitation of the ultimate, intended target. This entire process requires significant funding, skill, and patience. What kind of threat actor do you think can meet all of these requirements?

As for motives, they vary, but we can put political and economic motivators at the top of the list. Nyetya had the characteristics of making a political, if not psychological, statement, while the motivation for the CCleaner exploit could be interpreted as having been driven by economic factors. Determining the motives of an attacker is even harder than determining attribution. But just the fact that the former attack was so “loud” and the second so “quiet,” indicates that the attackers were after very different outcomes.

What You Can Do

Trust, but verify.

You have to realize that it’s the bad guys’ job to come up with ways to carry out their mission such that you’ll never see them coming. Exploiting trust is very powerful. Whether you are the end customer or have a place in a supply chain, ask your vendors/partners how they secure their supply chains. Ask them about their development practices and their internal security controls. How do they roll out patches and updates to their internal systems, and how often? How do they segment and secure their development, QA, and production environments? How do they vet their partners and vendors?

And be sure to ask all of these questions of your own organization, or you could find that it’s your organization that is the weakest link in the supply chain.

Can Cisco Help Me?

Of course!

Our Cisco Security Services team can provide a wide range of services from architectural review, design, and deployment, to security operations management, incident response, and more to ensure that your organization has the technology, training, and processes in place.

Our Cisco Security technology portfolio, powered by the Cisco Talos threat intelligence research team, helps provide detection and protection capabilities across many attack vectors through email, web, network, endpoints, and more.

Supply chain attacks are an effective method for advanced adversaries, true, but you don’t have to face them on your own. Get in touch and let’s talk about how Cisco can help.