We have always been warned about cybersecurity in simple phrases, such as beware that your email attachments should be from unfamiliar sources, and do not deliver your data to a fraudulent website, but with the increase in these warnings that undermined the movement of infiltrators, these criminals are looking for the basic resources breakthroughs of our security and not direct penetrationFor us, what if the original devices and programs that you use from their source are chosen?
This malicious and increasing form of piracy is known as the "Supply Chain Atocs", a technique in which the opponent delivers harmful software instructions, or a harmful component, to a reliable part of programs or devices, where attackers or sibers can steal a system The entire distribution of the program to convert any application they sell and any software update they pay, and even the physical equipment they ship to customers; To the Trojan horse (a small blade horse that is carried with a major program of high popular programs, and performs some hidden tasks, and often focuses on weakening the victim's defense forces or penetrating his device and stealing his data), through one resource, meaning that through one intervention In a good position they can create a starting point for supplier customer networks, as they sometimes reach hundreds or even thousands of victims.
For example, instead of hackers penetrating a personal account of an email, they focus on penetrating the mail itself, and in this case any electronic account is created from the beginning.
Nick Weaver, a security researcher at the International Institute of Computer Science at the University of California, Berkeley, says, says Nick Weaver, a security researcher at the International Institute of Computer Science at the University of California, Berkeley, saysIt is natural that we trust in companies that develop our systems and consider every developer of a system capable of protecting its system, especially if it is one of the big names in the world of technology, so the supply chain attacks are frightening, because it is really difficult to deal with it, and because it clarifies how confidence in systems canIt is big to be harmful. "
The world witnessed the danger of the supply chain attacks last December, when it was unveiled that the Russian attackers -who were later assigned to work for the Russian intelligence service;The SVR- they penetrated the famous software company "Solar Winds", and put a harmful code in its information technology management tool known as "Orion", allowing access to up to upTo 18 thousand networks that use this application around the world.
SVR used this penetration of the supply chain as a fate presented to it in the networks of nine American federal agencies, including NASA, the Ministry of Foreign Affairs, the Ministry of Defense and the Ministry of Justice.
The shocking in this penetration is that the attackers hacked the primary part of the system, and put a back door, perhaps years ago, and they could enter and get out of the system whenever they wished without knowing the developed company, which led to the penetration of all the adults of the company, so you do not need to spend the hackersTime and effort to penetrate the defense agency or the Ministry of Foreign Affairs, it suffices to penetrate the source of software for these institutions.
However, as far as the spying on "Solar Windows" was shocking, it was not unique, as the dangerous supply chain attacks hit companies all over the world for years, before Russia's recent campaign.
A penetration was discovered for a software development tool sold by a company called "Codecov" only last month, which gave the attackers to reach hundreds of networks of victims, and a group of Chinese piracy known as "Barium" carried out at least 6 attacks for the supply chainOver the past five years, as the harmful programming instructions in the ASUS computer industry, and in the CCLENARER Cleaner app.
In 2017, Russian infiltrators stole - "Sandworm", known as part of the GRU - MEDOC program "MEDOC" program updates, and used it to pay the destroyed codeSelf -known known as "Notpetya", which ultimately caused $ 10 billion in damage around the world, which was considered the most expensive electronic attack in history.
The supply chain attacks actually appeared for the first time in about 4 decades, when Ken Thompson - one of the UNIX operating system creators - wanted to hide a rear door in the login function to Unit.
Thompson did not just put a piece of malicious code that gave him the ability to log in to any system;He also worked on building an translator (which is a tool for converting the readable source code into an implementable program that can be read automatObviously on the manipulation of the source code for the user translator.
Thomson wrote in a lecture explaining his theory in 1984, saying, "Ethics are clear, you cannot trust in the software instructions that you did not fully do (especially the code from companies that employ optimal people)."
This theoretical trick is a kind of double supply chain attack;The penetration does not spoil only a widely used programming piece, but the tools used to create it as well, as it has since become a realistic fact as well.
In 2015, the hackers distributed a fake version of "XCODE", which is a tool used to build iOS applications, which in turn placed hidden (in a secret way) harmful symbols in dozens of Chinese iPhone applications, as well.This technology appeared again in 2019 when the Chinese parish pirates damaged a version of Microsoft Visual Studio, as they allow them to hide harmful programs in many video games.
These breakthroughs are not directed to the programs themselves, but for the tools that are used in the software industry, and this means that any program created using these tools will be penetrated.
Nick Weaver argues that the increase in the supply chain attacks may be partially due to improving defenses against more primitive attacks, as the hackers had to search for less easy entry points in protection, and the supply chain attacks provide abundant size;Any penetration of one of the software suppliers and you can access hundreds of networks.
Future supply of the future supply attacks will not be easy; As there is no simple way for companies to ensure that the programs and devices you buy are not damaged, it may be difficult, especially the discovery of the attacks of the hardware chain as the deduction materially puts software instructions or harmful ingredients inside a piece of equipment, while a Bloomberg bomb report claiming a Bloomberg bomb report claiming 2018 that small spy chips were hidden inside the SUPERMICRO used in the servers inside the Amazon Data centers and Apple, knowing that all the companies concerned have severely denied the story as the National Security Agency did, but Edward Snowden's secret leaks revealed The National Security Agency itself has stolen shipments from Cisco routers and entered them in the background doors for its own hypocrisy.
Bo Woods, one of the senior advisers of the Cyber Security and Infrastructure Security Agency, says that the solution to the supply chain attacks - for both programs and devices - may not be technical as much as it is organizational, as government companies and agencies need to know, examine and examine the suppliers of programs and devices and compel them with certain criteria,This transformation is compared to the way companies such as Toyota seek to control their supply chains, reduce them to ensure reliability, and the same thing must now be done for cybersecurity.
"They look to simplify the supply chain," Woods added. "Less number of suppliers and high -quality spare parts of these suppliers," added.
The CEO of Cyber Security issued by the White House to US President Joe Biden earlier this month may help set new safety standards for any company that wants to sell programs to federal agencies, but the examination itself is necessary throughout the private sector.Woods says that private companies, such as federal agencies, should not expect to end the supply chain penetration epidemic any time soon.
Ken Thompson may have been right in 1984 when he wrote that you could not trust any code you did not write yourself.But confidence in the software instructions from the suppliers you trust - and you examined it - may be the second best thing.
