If 2021 was the year of ransomware, 2022 may become the year of software supply chain attacks. The prevalence of supply chain attacks has skyrocketed, with several high-profile strikes such as SolarWinds and Kaseya making headlines. Because of the nature of these intrusions, they didn’t just impact those major companies, they also hit thousands of related organizations in both government and the private sector. But while these hits might be making more headlines, software supply chain attacks are nothing new.
The first such attack — or at least the foundation for modern software supply chain hacks — dates back to the early 1980s, when Ken Thompson injected a virus into a compiler. Thompson, a pioneer of computer science and creator of the Unix operating system, did not have malicious intent, but what became known as the Ken Thompson Hack still set the mold for modern cyber criminals and proved just how subversive software attacks could be.
The supply chain dilemma
A central tenet of cybersecurity has always been trust. The goal is to keep untrusted sources out of your networks, while allowing trusted allies the access they need. That’s why software supply chain attacks, where threat actors inject malicious code into what should be a trusted piece of software, are insidious and damaging. The massive SolarWinds attack alone left some 18,000 companies that used their Orion software vulnerable to hackers. This included everyone from the U.S. government to Fortune 500 firms.
Hackers are becoming savvy to how supply chain attacks can be very lucrative and often easier to pull off. In a recent article for Industrial Cybersecurity Pulse, Justin Fier of Darktrace posited that software supply chain attacks will become commonplace in the coming year.
“We predict that in 2022 we will see threat actors embed malicious software throughout the software supply chain, including in proprietary source code, developer repositories, open-source libraries and more,” he wrote.
So why are software supply chain attacks so worrying to cybersecurity experts? They offer hackers more bang for their buck. Why hack one company when you can hit hundreds of companies with a single keystroke? It can also be easier to target the weak link in a chain versus going after a major company like SolarWinds that is well defended and practices solid cyber hygiene.
“The thing about a supply chain attack is the attackers are attacking the weakest party in the link,” said Eric Byres, CTO of aDolus Technology and a leading authority in software supply chain security. “If you’re a large oil company, for example, you could have perfect security, do a fantastic job, but if just one of your suppliers is not holding up their part of the bargain, then you’re going to get attacked.”
The other factor that makes these supply chain hits so attractive to cyber criminals is few companies have taken steps to guard against them. They might know their own suppliers, but do they know who their suppliers’ suppliers are? Few, if any, pieces of software are made entirely in-house. They’re cobbled together using components from various sources. If just one of those sources was weak cybersecurity, that can open even the biggest companies up to risk.
“Honestly, supply chain risk has generally been just right off the radar,” Byres said. “The manufacturers of industrial equipment will tend to have a little bit more of a supply chain management plan, but usually it’s only one layer down. They know who they buy from, but they really don’t know who those suppliers buy from or where they get components. I know this firsthand because when I was working for Tofino, we sold Tofino [Firewalls] to all sorts of companies like Honeywell and Caterpillar and Schneider. And they knew they were buying from us, but they didn’t know what components we bought and put into those firewalls. And we didn’t know further down the chain.
“So the honest and sad answer is, until recently, supply chain management just was nonexistent in the software space. And this is a real game of catch-up going on right now.”
The Ken Thompson Hack
Ken Thompson is far from your standard black hat hacker. He is a renowned figure in computer science who spent much of his career working at Bell Labs, where he designed the original Unix operating system. His illustrious career began in the 1960s and spanned several decades, during which time he was recognized with a Turing Award and a National Medal of Technology, among other accolades.
“The moral is obvious. You can’t trust code that you did not totally create yourself.”
Thompson’s goal was to see if it was possible to hide a backdoor in Unix’s login function, according to an article in Wired. This theoretical attack inserted backdoor code into a compiler, so every time the login application was compiled, the compiler would insert the same malicious backdoor code.
“Thompson didn’t merely plant a piece of malicious code that granted him the ability to log into any system,” wrote Andy Greenberg in Wired. “He built a compiler — a tool for turning readable source code into a machine-readable, executable program — that secretly placed the backdoor in the function when it was compiled. Then he went a step further and corrupted the compiler that compiled the compiler, so that even the source code of the user’s compiler wouldn’t have any obvious signs of tampering.”
In 1983, Thompson and co-worker Dennis Ritchie received the Turing Award, often referred to as the Nobel Prize of computing, “For their development of generic operating systems theory and specifically for the implementation of the UNIX operating system.” In his Turing Award lecture, titled Reflections on Trusting Trust (also presented in the journal Communication of the ACM in August 1984), Thompson described his hack in detail, calling it “the cutest program I ever wrote.” The Ken Thompson Hack has been considered a seminal work in the field of computer security ever since.
At the end of his speech, he summed up the lesson of his hack.
“The moral is obvious. You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well-installed microcode bug will be almost impossible to detect.”
The future is now
While Thompson’s attack was more experimental in nature and didn’t harm anyone, savvy hackers are using his lessons today to plant malicious code into software and gain entry into a wide range of systems. As more and more companies rely on third-party vendors, their networks become susceptible to attack. Small- and medium-sized companies are now likely targets. Even if they aren’t the proverbial big game the hackers are really going after, these smaller companies can be used as a conduit to more profitable attacks on major players. In this environment, it becomes essential organizations focus not only on their own cyber hygiene, but also on the cyber hygiene of their “trusted” software suppliers.
So are software supply chain attacks the next frontier of cyber warfare? Byres said no, but not for a comforting reason.
“It’s not even the next; it is the frontier,” he said. “We’re here now. I gave a talk a little while ago saying, ‘God help us if ransomware meets supply chain attacks, because the ransomware people can just attack one company and get ransomware into 100 companies.’ And sure enough, Kaseya did that. … Taking advantage of one weak supplier of basically a network management package. And because all their customers trusted that they were getting good software, suddenly they were accepting what was effectively ransomware into their companies.”