What is a supply chain attack?

Network security clichés For a long time, people have used simple trust terms to describe: Beware of email attachments from unfamiliar sourcesAnd don’t Hand over documents Go to the fraudulent website. However, more and more sophisticated hackers are destroying this basic sense of trust and asking a paranoid question: What if the legitimate hardware and software that make up your network are compromised at the source?

This insidious and increasingly common form of hacking is called a “supply chain attack,” a technique in which an attacker inserts malicious code or even malicious components into trusted software or hardware. By harming a single vendor, spies or saboteurs can hijack their distribution systems and turn any applications they sell, any software updates they launch, and even the physical devices they ship to customers into Trojan horses. With a proper intrusion, they can create a springboard for the supplier’s customer network-sometimes hundreds or even thousands of victims.

Nick Weaver, a security researcher at the Institute of International Computer Science at the University of California, Berkeley, said: “Supply chain attacks are terrible because they are really difficult to deal with, and because they clearly show that you trust the entire ecosystem.” “You trust all code. The supplier on your machine, with You trust the supplier of each supplier. “

The seriousness of the supply chain threat was proved on a large scale in December last year. At that time, it was reported that Russian hackers-later confirmed to work for the country’s foreign intelligence agency (SVR) Invaded the software company SolarWinds and planted malicious code in its IT management tool Orion, Allowing access to up to 18,000 networks worldwide that use the application. SVR used this foothold to dig deeper into the network of at least nine US federal agencies, including NASA, the State Department, the Department of Defense, and the Department of Justice.

But as shocking as the espionage operation, SolarWinds is not unique. Over the years, severe supply chain attacks have hit companies around the world, both before and after Russia’s bold actions.Just last month, it was revealed Hackers hacked into a software development tool sold by a company called CodeCov This allows hackers to access the networks of hundreds of victims.A kind Chinese hacker group Barium has carried out at least six supply chain attacks In the past five years, in the software of computer manufacturer Asus Hard Disk Cleanup Application CCleaner. 2017 Russian hacker known as Sandworm, Part of the country’s GRU military intelligence service, hijacked the software update of the Ukrainian accounting software MEDOC and used it to launch Self-propagating destructive code called NotPetya, And ultimately caused a loss of 10 billion U.S. dollars in the world—— The most expensive cyber attack in history.

In fact, supply chain attacks first appeared about 40 years ago, when Ken Thompson, one of the creators of the Unix operating system, wanted to see if he could hide a backdoor in the Unix login function. Thompson not only implanted a piece of malicious code, enabling him to log in to any system. He built a compiler—a tool that converts readable source code into machine-readable, executable programs—that secretly place backdoors in functions at compile time.Then he went one step further and broke the compiler Compile The compiler, so that even the source code of the user’s compiler will not have any obvious signs of tampering. “The morality is obvious,” Thompson wrote Explained his presentation in a speech in 1984. “You can’t believe code that you didn’t create entirely by yourself. (Especially the code of companies that hire people like me.)”