Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12:00 AM
Intel 471
Intel 471
Sponsored Article

Nation-States and Their Supply-Chain Attack Strategy

What started as a technique in the cybercriminal underground has become a hallmark of elite-level nation-state hacking groups that have refined it to maximize its impact.

It's clear the SolarWinds incident has rocked the infosec community to its core. While there is still much to be uncovered, the public details indicate attackers inserted code into a third-party IT provider’s services, in order to perpetrate intricate attacks against multiple organizations.

This type of incident, commonly referred to as a "supply-chain attack," has been the cornerstone in some of the biggest security incidents of the past decade. As we have seen these attacks grow, a similar pattern of behavior has emerged: what started as a technique in the cybercriminal underground has become a hallmark of elite-level nation-state hacking groups that have refined it to maximize its impact.

There has been a rise in events the past few years where actors aligned with governments are using supply-chain attacks for nation-state-level work. In these instances, third-party IT providers are consistently targeted, serving as a stepping-stone that allows these actors to either sell access to the breached systems or pull data for other parties that have expressed interest.

The most well-known supply-chain attacks of the past decade are now security parables: Russian-linked criminals have attacked ATMs for years with different types of malware. An unidentified hacking group was able to breach a casino through a fish tank that was connected to the internet. A litany of e-commerce sites, from Ticketmaster to British Airways to OXO, had the JavaScript in their third-party payment forms hijacked in order to send credit card information to various criminal groups.

The common thread in these attacks was motivation: it's believed that those attacks were all carried out by financially motivated hackers, looking to take credit card numbers or other payment information.

Criminals aren't only trying to go after payment information in their supply chain attacks. In August 2019, attackers hit a managed service provider (MSP) that worked with local government agencies in 22 Texas towns, launching a ransomware attack that brought city services and financial actions to a halt. That attack was carried out through a version of the MSP's remote access tool, which attackers got access to during a different supply chain attack in June 2019.

As history has shown us, what can be used to make money can also be turned into a geopolitical weapon. The devastating NotPetya attack was launched in part via a supply chain attack, when Ukrainian accounting software MeDoc was breached, resulting in a software update release that was laced with malware being pushed to users. The U.S. government estimated the attack caused $10 billion worth of damage. The act is largely believed to have been conducted by the Russian government.

The NotPetya attack was a watershed moment that has served as the blueprint for how supply chain attacks have become a well-worn tool of those conducting espionage or acting on behalf of a government.

A stark example of this behavior comes from a prolific actor with suspected ties to the Iranian government. In 2019, Intel 471 observed this actor on a popular underground forum advertising access to a wide array of corporate systems: a domain registrar, a ship builder, two large airlines, financial institutions, a media broadcaster, international oil and gas companies, a global online trading platform, cybersecurity companies, a U.S. enterprise information management company and a U.S. cable and satellite TV company.

The actor boasted that he obtained this access by finding it when they used a password-spraying technique against large numbers of Office 365 and Citrix account interfaces. They also claimed to obtain access via RDP, and in web-based exploits, bypassing antivirus detection and exploiting already compromised email accounts that lack two-factor authentication. From there the actor pulled valuable data on future targets

The tactics, techniques and procedures used by this actor links them to the Mabna Institute, an Iranian government contractor that has been responsible for coordinated attack campaigns since 2013. 

Another alleged government-linked group started taking advantage of supply chain attacks even before NotPetya. In 2017, there were several incidents targeting ATMs across South Korea, after two software vendors were compromised. The malware eventually allowed the perpetrators to gain access to 2,500 accounts at a major international bank, which were then used for an unspecified number of fraudulent transfers. Intel 471 found that actors possibly linked to North Korea found a way to manipulate the companies’ antivirus update server that allowed them to upload a remote access trojan (RAT) to the compromised ATM machines.

There are numerous reasons why governments have either copied or outsourced these tactics, techniques, and procedures (TTPs).

Allowing cybercriminals to operate with their own skills and tools allows governments to save money in training and development, leveraging capabilities and a "workforce" they don't have to build themselves. But a key asset is also the ability to "hide in the noise" created by cybercriminals and the marketplaces they frequently use. If the TTPs of a supply chain attack bear the hallmarks of financially motivated actors, governments are given an extra layer of protection, plausible deniability and obfuscation from being labeled as responsible for a particular incident.

While the SolarWinds incident will be pored over in the months to come, it is only one in a growing list of incidents that show that not only are supply-chain attacks a common practice, they are effective for both financially motivated criminals and government-backed campaigns alike. The ability to shield true motive should force all enterprises to closely examine their relationships with every third-party business they work with, including efforts to fold it into their security and risk mitigation strategies.

Intel 471 is the premier provider of cybercrime intelligence for leading intelligence, security and fraud teams. Our adversary intelligence is focused on infiltrating and maintaining access to closed sources where threat actors collaborate, communicate and plan cyber-attacks. Our malware intelligence leverages our adversary intelligence and underground capabilities to provide timely data and context on malware and adversary infrastructure. Our pedigree is unmatched - built on experience from operating in the intelligence services, military, law-enforcement and private companies across the globe.  

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-06
An out-of-bounds (OOB) memory access flaw was found in x25_bind in net/x25/af_x25.c in the Linux kernel version v5.12-rc5. A bounds check failure allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel i...
PUBLISHED: 2021-05-06
A heap memory corruption problem (use after free) can be triggered in libgetdata v0.10.0 when processing maliciously crafted dirfile databases. This degrades the confidentiality, integrity and availability of third-party software that uses libgetdata as a library. This vulnerability may lead to arbi...
PUBLISHED: 2021-05-06
aom_image.c in libaom in AOMedia before 2021-04-07 frees memory that is not located on the heap.
PUBLISHED: 2021-05-06
The administrator application on ASUS GT-AC2900 devices before allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator interface. This relates to handle_request in router/httpd/httpd.c and auth_chec...
PUBLISHED: 2021-05-06
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed.