In this article we will review what supply chain attacks are, how they evolved, and how we ended up with SUNBURST, a supply chain attack targeting the famous monitoring platform SolarWinds Orion. We will also discuss how this advanced adversary evaded common detection capabilities, and how you can determine if you have been affected by this attack. It further provides some recommendations on how to deal with these types of attacks in the future, using commonly known principles and available technologies.
Supply chain attacks—attacks against the supply or value chain of an organization in order to gain access to a downstream target—often sound like stories of targeted attacks that only occur against government agencies in Hollywood movies. In reality, while these attacks involve a high degree of planning and sophistication, they can have a devastating real-world impact on organizations in the blast radius of the original compromise, like the case of the recent SolarWinds attacks.
In general, we differentiate between two major types of attacks focusing on an organization’s supply or value chain.
“Island hopping” attacks target potentially vulnerable partners or elements in the value chain with potential privileged access to the actual target network. Derived from the island hopping strategy of the United States in the Pacific campaign in WW2, this type of attack may include multiple vulnerable elements in order to gain access to the actual target of the attack. We have seen these types of attacks with prominent targets in the retail industry, which involved suppliers as the initial entry point, and also in plenty of other industries in similar forms.
“Supply chain” attacks are slightly different, as they seek to exploit the trust relationship established from legitimate products used in normal business ..