A particularly insidious threat in the cyber security landscape is “economic espionage”, sometimes sponsored by foreign governments but also by increasingly capable and well-resourced hackers, carried out via the technology supply chain.
This method requires that the production of software is infiltrated in some way:
- Either the creation and marketing of a piece of software from scratch which has an official function but which also installs malware on users’ computers
- Or the hijacking of a genuine piece of software, after which it also contains a malicious payload
US intelligence body the National Counterintelligence and Security Center (NCSC) has just published its Foreign Economic Espionage Report. It found that China, Russia and Iran were the “most capable and active states” involved in such “economic subterfuge”.
Last year was a high-water mark, with seven significant software supply chain events being made public, in contrast to just four between 2014 and 2016.
As networks become more savvy at protecting themselves thanks largely to greater cyber security training and awareness, subverted software is an attractive method to use because – unlike most malware – people voluntarily download software that they trust. In fact, they are repeatedly (and rightly) told to install updates whenever they become available.
“Software supply chain infiltration is one of the key threats that corporations need to pay attention to, particularly how software vulnerabilities are exploited,” says NCSC director William Evanina, described by the BBC as “the US’s top counter-intelligence official”. The “bad guys” are now targeting supply chains and “the impacts to proprietary data, trade secrets, and national security are profound,” he added.
And if you think the names you know and trust can’t fall victim to this sort of attack, last September malicious code was inserted into a popular and trusted computer cleaning software product called CCleaner – a brand which has been in use on millions of computers for several years.
The hackers infected millions of machines, but the report said that they had “specifically targeted” 18 companies on which they wished to carry out economic espionage, including Samsung, Intel, O2 and Fujitsu.
As well as stealing information to help foreign governments gain economic advantage, another motive seems to be disruption, as with the NotPetya attack, attributed to hackers working on behalf of the Russian government. Software widely used in Ukraine to file tax returns was infected, wiping affected computers of their data; the damage went well beyond Ukraine, though, affecting international companies that did business in Ukraine and causing hundreds of millions of pounds’ worth of disruption.
And last week, cyber security company Crowdstrike published a survey in which two-thirds of organisations responding said they had experienced a software supply chain attack in the past 12 months, with the average cost per attack being £838,000.
The software supply chain attack is smart, and all but impossible to predict. Don’t install any software without scanning it first. Don’t assume that a piece of software with a nice website is automatically legitimate. Speak to your IT resource if you want to install new software, and look for press and reviews before installing anything.