What started as a technique in the cybercriminal underground has become a hallmark of elite-level nation-state hacking groups that have refined it to maximize its impact.

Dark Reading Staff, Dark Reading

February 2, 2021

5 Min Read

It's clear the SolarWinds incident has rocked the infosec community to its core. While there is still much to be uncovered, the public details indicate attackers inserted code into a third-party IT provider’s services, in order to perpetrate intricate attacks against multiple organizations.

This type of incident, commonly referred to as a "supply-chain attack," has been the cornerstone in some of the biggest security incidents of the past decade. As we have seen these attacks grow, a similar pattern of behavior has emerged: what started as a technique in the cybercriminal underground has become a hallmark of elite-level nation-state hacking groups that have refined it to maximize its impact.

There has been a rise in events the past few years where actors aligned with governments are using supply-chain attacks for nation-state-level work. In these instances, third-party IT providers are consistently targeted, serving as a stepping-stone that allows these actors to either sell access to the breached systems or pull data for other parties that have expressed interest.

The most well-known supply-chain attacks of the past decade are now security parables: Russian-linked criminals have attacked ATMs for years with different types of malware. An unidentified hacking group was able to breach a casino through a fish tank that was connected to the internet. A litany of e-commerce sites, from Ticketmaster to British Airways to OXO, had the JavaScript in their third-party payment forms hijacked in order to send credit card information to various criminal groups.

The common thread in these attacks was motivation: it's believed that those attacks were all carried out by financially motivated hackers, looking to take credit card numbers or other payment information.

Criminals aren't only trying to go after payment information in their supply chain attacks. In August 2019, attackers hit a managed service provider (MSP) that worked with local government agencies in 22 Texas towns, launching a ransomware attack that brought city services and financial actions to a halt. That attack was carried out through a version of the MSP's remote access tool, which attackers got access to during a different supply chain attack in June 2019.

As history has shown us, what can be used to make money can also be turned into a geopolitical weapon. The devastating NotPetya attack was launched in part via a supply chain attack, when Ukrainian accounting software MeDoc was breached, resulting in a software update release that was laced with malware being pushed to users. The U.S. government estimated the attack caused $10 billion worth of damage. The act is largely believed to have been conducted by the Russian government.

The NotPetya attack was a watershed moment that has served as the blueprint for how supply chain attacks have become a well-worn tool of those conducting espionage or acting on behalf of a government.

A stark example of this behavior comes from a prolific actor with suspected ties to the Iranian government. In 2019, Intel 471 observed this actor on a popular underground forum advertising access to a wide array of corporate systems: a domain registrar, a ship builder, two large airlines, financial institutions, a media broadcaster, international oil and gas companies, a global online trading platform, cybersecurity companies, a U.S. enterprise information management company and a U.S. cable and satellite TV company.

The actor boasted that he obtained this access by finding it when they used a password-spraying technique against large numbers of Office 365 and Citrix account interfaces. They also claimed to obtain access via RDP, and in web-based exploits, bypassing antivirus detection and exploiting already compromised email accounts that lack two-factor authentication. From there the actor pulled valuable data on future targets

The tactics, techniques and procedures used by this actor links them to the Mabna Institute, an Iranian government contractor that has been responsible for coordinated attack campaigns since 2013. 

Another alleged government-linked group started taking advantage of supply chain attacks even before NotPetya. In 2017, there were several incidents targeting ATMs across South Korea, after two software vendors were compromised. The malware eventually allowed the perpetrators to gain access to 2,500 accounts at a major international bank, which were then used for an unspecified number of fraudulent transfers. Intel 471 found that actors possibly linked to North Korea found a way to manipulate the companies’ antivirus update server that allowed them to upload a remote access trojan (RAT) to the compromised ATM machines.

There are numerous reasons why governments have either copied or outsourced these tactics, techniques, and procedures (TTPs).

Allowing cybercriminals to operate with their own skills and tools allows governments to save money in training and development, leveraging capabilities and a "workforce" they don't have to build themselves. But a key asset is also the ability to "hide in the noise" created by cybercriminals and the marketplaces they frequently use. If the TTPs of a supply chain attack bear the hallmarks of financially motivated actors, governments are given an extra layer of protection, plausible deniability and obfuscation from being labeled as responsible for a particular incident.

While the SolarWinds incident will be pored over in the months to come, it is only one in a growing list of incidents that show that not only are supply-chain attacks a common practice, they are effective for both financially motivated criminals and government-backed campaigns alike. The ability to shield true motive should force all enterprises to closely examine their relationships with every third-party business they work with, including efforts to fold it into their security and risk mitigation strategies.

Intel 471 is the premier provider of cybercrime intelligence for leading intelligence, security and fraud teams. Our adversary intelligence is focused on infiltrating and maintaining access to closed sources where threat actors collaborate, communicate and plan cyber-attacks. Our malware intelligence leverages our adversary intelligence and underground capabilities to provide timely data and context on malware and adversary infrastructure. Our pedigree is unmatched - built on experience from operating in the intelligence services, military, law-enforcement and private companies across the globe.  

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights