Share this page!

Cyber Statecraft Profile picture
Twitter logo
17 Dec, 18 tweets, 14 min read
THREAD | A groundbreaking espionage operation targeting USG, the #Sunburst incident was also software supply chain compromise similar to 31 attacks observed since 2010. Using our Breaking Trust report @Cyberstatecraft walks through the incident. 1/16

atlanticcouncil.org/in-depth-resea…
COMPROMISE BUILD: Malicious code inserted into a SolarWinds software library compromised the Orion software in development. Here, we track the compromise along a visualization of 115 software supply chain attacks and vulnerability disclosures since 2010. 2/16
Direct comparisons to 2015 Kingslayer, 2017 NotPetya, and 2018 Webmin, where attackers went stealth, seeding malware into administrative and security tools later distributed through trusted update channels. 3/16

comsecglobal.com/kingslayer-a-s…
It needs to be costlier to develop and deploy compromised software like this. The NSA, CISA, and industry partners should develop a software supply chain maturity model to assess performance of current and potential vendors. 4/16

See more here: bit.ly/3r4nBRZ
HIJACKED UPDATE: The malicious code was packaged with the Orion software and signed with a legitimate certificate by SolarWinds, ready for customers to download. 5/16
Since 2010, there have been at least 31 distinct attacks targeting updates in the software supply chain, of which 17 compromised build servers or altered code. Of those, more than half were attributed to state affiliated groups. 6/16

See report data set: bit.ly/3mtVzvq
Software security needs to be equally about secure design and secure deployment. @NIST should lead, w/industry partnership, the development of a software lifecycle security overlay that builds on existing frameworks and controls and unifies them. 7/16
Developers don’t need new security controls; they need existing controls to be automated and made easier to implement. If your best practices and standards fit into a developer’s workflow 🥳 If they come via PDF or a color-coded spreadsheet 😱 8/16
PULLED UPDATE: SolarWinds customers downloaded the compromised update, which then patiently waited, hidden, for up to 2 weeks. 9/16
Compromised software updates are especially pernicious because users believe they can trust updates and fixes. If attackers have hidden their malware effectively, as in the 2017 ShadowPad incident, targets are unlikely to dig deeper. 10/16
.@NIST should work w/concerned agencies/cloud providers to push adoption of a software supply chain overlay in critical infrastructure. Securing software won’t help if we ignore the challenges of secure deployment throughout the lifecycle, esp across Operational Technology. 11/16
INITIAL FOOTHOLD: Following an approx. 2-week dormancy, the Sunburst malware reached out - disguised as legitimate Orion network traffic - to a set of shifting command and control servers and, on certain targets, downloaded additional malware. 12/16

fireeye.com/blog/threat-re…
Supply chain exploits expose large # of machines which are used to find valuable targets. #Sunburst hit ~18k orgs but attackers likely exploited far fewer. Similarly, ShadowHammer in 2019 targeted ASUS and hit 500k laptops but exploited just 600. 13/16

vice.com/en/article/pan…
SolarWinds is a global company so this compromise may be used to target clients in Asia and Europe. We propose that US IC & InfoSec build on collaboration with partners like UK’s NCSC to share data & coordinate for joint policy responses. 14/16

Report: bit.ly/37p4yKi
Society has a software problem. The #Sunburst compromise shows the challenge of asserting & transferring trust throughout the software supply chain. This is not likely to improve quickly. The last 10 years have seen >115 software supply chain attacks or disclosures. 15/16
Change can happen but must be systematic, treat industry/government as equal partners, & recognize that this kind of risk will forever be managed, never eliminated. We laid out a few ideas but there’s more to come & many more people to hear from. 16/16

atlanticcouncil.org/breaking-trust/
For more infosec goodness and on point analysis as #Sunburst unfolds, look to these awesome people– @C_C_Krebs @Bing_Chris @KimZetter @ItsReallyNick @jfslowik @likethecoins @MalwareJake @nickdothutton @dnvolz @Joseph_Marks_ @snlyngaas @SteveBellovin @razhael 1/2
@BuchananBen @Jason_Healey @alexstamos @RobertMLee @allanfriedman @HostileSpectrum @eborghard @jcherz @beauwoods @brysonbort @wendynather @campuscodi @hacks4pancakes @MSTIC @FireEye 2/2

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Cyber Statecraft

Cyber Statecraft Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @CyberStatecraft has new unrolls!

Check out other threads from @CyberStatecraft!

Read all threads by @CyberStatecraft