Assessing and mitigating software vendor supply-chain cybersecurity risk
The SolarWinds supply chain incident that was detected in early December 2020 has emerged as one of the most sophisticated and successful cyberattacks on Western government institutions and businesses in recent history. In it, a well-organized, well-funded, highly skilled group purportedly affiliated with Russia’s Foreign Intelligence Service successfully penetratedthousands of large global enterprises and multiple U.S. federal government agencies, including the Departments of Homeland Security, State, Treasury and Commerce. While 80% of victims are believed to be U.S.-based, the attack also compromised targets in Canada, Mexico, the U.K., Spain, Belgium, Israel and the U.A.E.
The SolarWinds breach is the latest extant example of a so-called software supplychain attack, in which an adversary compromises a trusted source of software, firmware or hardware, embedding surveillance tools and other malicious code in it. The initial target can be a vendor’s private repository or app store, or a public code-sharing repository like GitHub. A potential breach is enabled whenever a user installs the compromised software update, firmware update, or hardware.