The ‘SolarWinds’ Hacks Show Supply Chain Attacks Are Business as Usual

Over the weekend, Reuters reported that foreign government hackers breached the U.S. Treasury Department. Soon after, more details of the hack came out, and it turned out that the government agency was just one of at least 18,000 networks infiltrated by alleged Russian government hackers, who used a poisoned software update from the IT management system SolarWinds to get into the victim's systems. 

In other words, this was a classic example of the much-feared supply chain attack, where hackers hit several victims by first infiltrating a third party provider that has access to their customers' networks. 

SolarWinds clients who have been compromised by the hack include the U.S. Department of Homeland Security, the Department of Commerce, and parts of the Department of Defense, according to The New York Times.

The infosec community is still trying to understand the impact of the hack, which has been attributed to the Russian espionage agency SVR, also known as Cozy Bear or APT 29. But for many experts, save for the scope and sophistication of the hacks, this is business as usual. 

The Grugq, a well-known cybersecurity expert and commentator, told me that "this isn’t a first!"

In a series of tweets, he argued that the technique and strategies behind the intrusions are nothing new. 

"What exactly is new in the SolarWinds attack, at a conceptual level? A nation state targeting specific entities? Malicious updates?" The Grugq asked rhetorically. "It is interesting. But on its own merits, rather than novelty. Lots of stealth and clever targeting. Indicative of the trend for these types of state level attacks. Supply side is becoming mainstream."

Indeed, there's always been supply chain attacks. Just in the last few years, researchers found that hackers had hijacked legitimate ASUS software updates to push malware to their victims, a group of Chinese hackers have performed successful supply chain hacks against six different companies, and government spies hacked 2.2 million users by making them install an infected version of the popular Windows system organization tool CCleaner.  

And, of course, the biggest supply chain attack of them may very well be the so-called NotPetya incident of 2016. That time, Russian government hackers from a group known as Sandworm, believed to be part of Unit 74455 of the Russian Main Intelligence Directorate, better known as GRU, caused millions of dollars in damages by pushing a malicious update of a very popular piece of Ukrainian accounting software to companies around the globe by infecting their systems with malware that looked like ransomware—but was actually designed to just destroy their systems. 

Heck, there’s even an infosec rap song by Brandon Edwards that includes the verse “track back merchants of software they purchased, and back door that upstream if it’s worth it.”

Cybersecurity experts all agree NotPetya was a watershed moment: Government hackers using apparent ransomware to indiscriminately destroy systems all over the world. 

In the case of the SoladWinds attacks, as impressive as the scope and the hackers' techniques are, it's just good ol' computer espionage. 

Thomas Rid, a well-known academic and national security expert who recently wrote Active Measures, a book on the history of Russian intelligence disinformation campaigns, told Motherboard in an online chat that these breaches are "big, clever, but more of the same."

Ivan Arce, a veteran of the infosec scene and the CTO of Quarkslab, said that the SolarWinds hacks are "boring" and not "out of the ordinary" even though the way hackers used tools and architected their operation is interesting from a technical standpoint. 

"It's pretty boring. Everyone is losing their minds because they forget that DHS and State get hacked on the regular," Matt Tait, a cybersecurity expert who used to work for the British spy agency GCHQ, told Motherboard in an online chat. 

"At the end of the day, it's just another hack. Nothing particularly stands out as novel in it," Tait said. "There's hundreds of companies whose product auto updates and sits as admin on IT networks, and until we find a way to deprivilege them and get that number under control, this will just be a semi regular occurrence." 

Dmitri Alperovitch, the co-founder and former CTO of CrowdStrike, the company that investigated the DNC hack in 2016, said on Twitter that this is not the first time that Russian government hackers breach US government agencies.

"Last time during the big campaign of 2014-2015, SVR had successfully compromised networks of White House, State Department and the Joint Chiefs of Staff," he wrote. "And that was via simple phishing. They didn't have a nifty backdoor in one of the most popular IT [management] software around…" 

Then, the big takeaway here is that supply chain hacks are here to stay because companies and organizations defenses have gotten better, forcing hackers to target third parties. 

"As defenders get better offense has to [do the same], which is a win," Robert Lee, a former NSA analyst and the founder of the cybersecurity infrastructure startup Dragos. " It makes it more improbable for other players. So even though it feels 'offense' keeps up with defense. It’s less teams that can."

Also, while it may seem that the hack of SolarWinds and their thousands of customers is a warning against updates, supply chain hacks like these are still the exception. Patching regularly and updating all software remains and will always be the right advice.