SolarWinds compromise focuses new attention on trust in vendor supply chain
Recent media attention on the successful intrusion of multiple commercial and government organizations using a backdoor embedded in the popular SolarWinds Orion software platform has (justifiably) focused on learning the extent of the compromise and the potential damage or loss to SolarWinds’ customers. Both the trade press and companies suffering breaches or intrusions are typically quick to characterize these situations as the result of “sophisticated” attacks perpetrated by advanced or highly capable threat actors. Early reports of the ability the SolarWinds intruders had to evade detection for months after their backdoor was successfully installed and the way they disguised their malicious software suggest that the “sophisticated” moniker is actually warranted in this case, although the precise circumstances surrounding the initial penetration of SolarWinds’ software development operation are far from clear. The consensus seems to be that the attackers were able to gain access to SolarWinds’ toolsets and processes for building release packages (either the source code repository where the build components were managed or a release or package manager elsewhere in the process) and insert malicious code into the build cycle while avoiding detection. When the software update packages were built for release to customers, the malicious code was included with the actual software modules and signed using a cryptographic hash function. The end result is that customers who downloaded and installed the SolarWinds software updates had every reason to believe the software was legitimate and fully authorized by the company. Add to this the fact that, at the time the malware-infested software was distributed, no commercially available anti-malware tools recognized the backdoor as malware, and you have an effective means of intrusion while evading detection. On a side note, it’s much less clear why the external connections to the intruders’ command-and-control servers weren’t detected as anomalous, either by the U.S. Government’s EINSTEIN intrusion detection system or by any of the intrusion detection technologies deployed by commercial entities’ who were victimized by the SolarWinds exploit.
Given what has been publicly reported so far, including by the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security, it is difficult to suggest that any of the affected organizations should have been able to identify the problem with the infected SolarWinds software itself. This incident has brought supply chain attacks into the mainstream (to be fair, NIST first published its Special Publication 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, more than five years ago) but calls for greater due diligence by customers of enterprise-class software tools like SolarWinds are both overly simplistic and not particularly feasible. There reason software vendors release things like cryptographic hash values is to help customers verify that the software customers download can be verified as authentic. Most buyers of such software lack the technical knowledge or capabilities to perform deep analysis of the software products they buy and, if such software has an embedded vulnerability somewhere it its source code, in most cases there is no way for a customer to examine the source code at all (not to mention that reverse engineering commercial software tools typically violates the license agreement governing the purchase of the software). Buyers of commercial software tools have little alternative than to rely on their chosen vendors to deliver software that is free of malware like the SolarWinds backdoor. When dealing with well-established software vendors, it is probably not overstating the situation to say that customers trust their vendors not to deliver products rife with hidden vulnerabilities. Software vendors, like other types of organizations, may in fact be worthy of customers’ trust, but it is at least a semantic mistake for any buyer to say they trust software. Organizations may demonstrate trustworthiness by (depending on your characterization) exhibiting competence, honesty, openness, credibility, or reliability. Among these attributes, however, software can only demonstrate reliability or unreliability; a product that performs consistently and predictably may be highly valued by its users, but that does not make it trustworthy. The future prospects for SolarWinds among public sector and private sector organizations remain to be seen, but the guidance issued to government agencies in the past week suggests that CISA is skeptical of many of SolarWinds’ assertions about which product releases are affected about the company’s ability to prevent further exploitation of its platform.