In October 2018, Bloomberg published an article titled “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies,” that sent shockwaves around the world. The implication - Chinese spies infiltrated nearly 30 U.S. companies by embedding malicious microchips in Supermicro motherboards. The motherboards, which were presumed to be of highest quality, were utilized inside of US data centers -- which then afforded bad actors easy access to massive amounts of sensitive information. The article noted this was “the most significant supply chain attack known to have been carried out against American companies.” The implications of this hack captured global attention across every corner of the tech industry. No one was safe.
But, as the dust settled most of the companies mentioned in the article vehemently denied its claims. Apple even wrote a letter to Congress, saying the story was “simply wrong.” Both the U.K. National Cyber Security Center and U.S. Homeland Security said they believe Apple and Amazon are telling the truth -- and that the alleged Supermicro hack never happened. Was the biggest physical supply chain attack in history a hoax? We may never know.
What we do know however, is that members of the Chinese People’s Liberation Army have now been indicted for conducting the biggest software supply chain attack in history. Specifically, an attack that exploited a vulnerable open source component at Equifax and stole the personal information of over 145 million people. And yet, the world still isn’t talking enough about the importance of software supply chain hygiene.
Maybe, Bloomberg should re-write it’s story.
What You Need to Know About the Real “Big Hack”
Software supply chain attacks and exploit efforts aimed at open source projects are happening in the wild at an alarming rate. We’ve been given many wake-up calls. Yesterday’s news that Chinese military hackers have been indicted for breaching Equifax is just the latest.
While the Supermicro story caused such shock and awe -- much of the world still hasn’t recognized the scary truth: it’s much easier for bad actors to infiltrate and hack a software supply chain than a physical one.
This is illustrated first and foremost by the fact that Equifax was not the only target. Within 24 hours of the Apache disclosure, hackers attempted to exploit the Struts vulnerability elsewhere, including the US DoD. According to David Hogue, a senior technical director for the NSA’s Cybersecurity Threat Operations Center (NCTOC), "We had a nation-state actor within 24 hours scanning for unpatched [Struts] servers within the DoD." Other breaches were recorded at Alaska Airlines, the Canada Revenue Agency, Okinawa Power, the Japanese Post, the India Post, AADHAAR (India’s social security system), and the GMO Payment Gateway, to name a few.
Independent of today’s news, one detail that warrants special attention is this question: what actually happened at Equifax during the three days between the Apache Struts vulnerability being disclosed on March 7th and the initial breach on March 10th?
Adversaries have changed their approach to find more efficient attack vectors, and the speed at which they’re able to infiltrate applications directly is astounding. The time required for hackers to exploit a newly disclosed open source vulnerability has shrunk by 93.5% in the last decade. This harsh reality establishes a new normal for software supply chain threats and demands that organizations are prepared to do three things within 48 hours of a new public disclosure:
- Assess which, if any, of their production applications are exploitable
- Establish a comprehensive plan to remediate potential exposure,
- Implement necessary fixes in production
Despite what should be a general understanding, 57% of the Fortune 100 were still using the same faulty software component that enabled the hack, in the year following the Equifax breach. And too many organizations continue to invest in perimeter and network security, rather than application security, even though in 2019, two years after the initial breach, 1 in 4 companies confirmed or suspected they had a breach due to an open source vulnerability.
Furthermore, true malicious attacks on the supply chain are happening more and more often. Adversaries are now directly injecting vulnerabilities into open source ecosystems and projects. In some cases, these compromised components have been subsequently and unwittingly used by software developers to assemble applications. These compromised applications, which are assumed to be safe, are then made available for use by consumers and businesses alike. The risk is significant -- and it’s unbeknownst to everyone except the person that intentionally planted the compromised component inside of the software supply chain.
If businesses fail to practice proper software supply chain governance, they expose themselves and their customers to significant risk. As these new revelations show, this can include infiltration from nation-state actors.