Systemic Software Risk in the Enterprise Supply Chain, Part 1

About this Series of Three Blog Posts

In July 2020 the Atlantic Council, a highly-respected international affairs leadership institute based in Washington, DC, published a wide-ranging, evidence-based report titled “Breaking Trust: Shades of Crisis Across an Insecure Software Supply Chain” from its Scowcroft Center for Strategy and Security’s Cyber Statecraft Initiative. The report provides vital information on threats and priority focus areas for cyber security investments for both governments and business. This blog post series takes a detailed look at several specific implications of the report’s data and analysis.   

In the words of Trey Herr, director of the Cyber State Initiative, here are the pillars of their research:


Blog Post 1: The Scope of the Problem

The report begins with “A Supply Chain Story,” describing a 2017 hybrid cyberattack that used a fake software update notice to install a trojan, combined with usernames and passwords stolen in an earlier phishing attack, to put the attackers in a position to shut down the energy grid for a third of the US. This was part of the extensive DragonFly 2.0 campaign that targeted 20 energy sector firms in the US and Europe.

As the Executive Summary states, “society has a software problem… Our watches now have Internet connections, combat aircraft come with more code than computer operating systems, and every organization from the Internal Revenue Service to an Etsy storefront relies on software to serve their customers. No longer confined merely to computers, embedded software now controls the operation of complex power generators, medical hardware, the behavior of automotive brake pedals, and planetary scale datasets.”

The fact is, software has flaws, and every new piece of code contains new defects and vulnerabilities—even the patches and updates used to fix previously-identified issues. The software supply chain for virtually every organization contains both vendor and open-source code. The report cites the example of Trek Networks, a US company whose software enables IoT devices to communicate over the Internet. 19 critical vulnerabilities in Trek’s software identified in early 2020 propagated automatically to 12+ major OEMs including Intel and Caterpillar with potential impact on 100s of millions of devices. Moreover, recent surveys show that 90%+ of enterprise IT projects utilize open source software, where identifying and patching vulnerabilities is largely a best-efforts activity. The increase of outsourcing to MSPs and cloud providers magnifies this risk, as attacks targeting these service providers leak through to their clients’ systems.

The public sector is at even greater risk, especially in the defense and telecommunications sectors. US government initiatives around Commercial Off-the Shelf (COTS) software and hardware (with firmware) provide significant cost and time to market advantages, but also introduce supply chain attack points with potentially catastrophic consequences. For instance, in a 2017 incident, malicious code modules with modified installation scripts snuck into the official Python repository, PyPI, and were not discovered for three months. Open architecture and network function virtualization trends in 5G telecommunications further expand the software supply chain attack surface. These types of attacks can be highly effective and create widespread impacts, and have become a favorite of state actors.

The research team evaluated 115 supply chain attacks and vulnerability disclosures that occurred  over the last 10 years and identified 5 trends:

  1.     Deep impact from state actors
  2.     Hijacking updates, as in “A Supply Chain Story”
  3.     Undermining code signing
  4.     Open-source compromise
  5.     App Store attacks.

 Three of these, (1), (2), and (4), are particularly associated with remote code execution, which correlates strongly with the most dangerous software vulnerability as ranked by MITRE in late 2019, memory compromise.

  1.     State Actors

 The majority of these attacks, which made up over 25% of the dataset, either did, or could have resulted in, remote code execution. Examples include CCleaner, NotPetya, Kindslayer, SimDisk, and ShadowPad. State actors were the most likely to use attack vector (2) as part of sustained, long-term campaigns.

  1.     Hijacking Updates

Using stolen or forged certificates, sophisticated actors (generally states or criminals) use apparently legitimate updates and patches to carry malware to targets. The advanced malware often contains components that enable it to spread from the infected machine either along networks or in hardware, with wide-ranging damage including malicious encryption, data exfiltration, and physical system compromise. Examples: Stuxnet, CCleaner 1 and 2, NotPetya, Adobe pwdum7v71, Webmin, and PlugX.

  1.     Open-Source Compromise

Currently used mostly by criminals, these attacks either modify open-source code by gaining access or posting malicious counterfeits with names similar to commonly-used ones. Generally targeted to steal victim’s data or payment information, these are usually discovered quickly. Examples: Cdorked/Darkleech, RubyGems Backdoor, HackTask, Colourama, JavaScript 2018 Backdoor, and 2017 PyPI repository attack.

The report concludes that software supply chain attacks are now “popular and impactful.”They increase both the consequence and the perception of consequence for a breach, sowing distrust in widely-used open source projects and commercial offerings. They are also capable of penetrating deep into an organization’s tech stack, wreaking havoc with dev, admin, and networking tools, code signing, and even device firmware. The authors urge both governments and private organizations to raise the priority of and investment in policies, controls, and technologies specifically focused on software supply chain security.

We heard from Will Loomis, the researcher and author of the Breaking Trust article:



Podcast Teaser

Our CEO, Joe Saunders, hosted the Cyber Statecraft Initiative team for a podcast recording recently and the episode will air on our podcast called,  Lessons from the School of Cyber Hard Knocks. We would like to thank Trey Herr, Simon Handler, Safa Shawhan Edwards, and Will Loomis for their tremendous work.