Sun Sentinel Broward Edition

Russian hack of US exposed weaknesses in supply chain

- By Eric Tucker

WASHINGTON — The elite Russian hackers who gained access to computer systems of federal agencies last year didn’t need to painstakin­gly break one-byone into the networks of each department in order to cause havoc.

Instead, they got inside by sneaking malicious code into a software update pushed out to thousands of government agencies and private companies.

That hackers were able to exploit vulnerabil­ities in the supply chain to launch a massive intelligen­ce gathering operation wasn’t especially surprising. U.S. officials and cybersecur­ity experts have sounded the alarm for years about a problem that has caused havoc, including billions of dollars in financial losses, while also defying easy solutions from the government and private sector.

In general terms, a supply chain refers to the network of people and companies involved in the developmen­t of a particular product, not dissimilar to a home constructi­on project that relies on a contractor and a web of subcontrac­tors. The sheer number of steps in that process, from design to manufactur­e to distributi­on, and the different entities involved give a hacker looking to infiltrate businesses, agencies and infrastruc­ture numerous points of entry.

That can mean no single company or executive bears sole responsibi­lity for protecting an entire industry supply chain. And even if most vendors in the chain are secure, a single point of vulnerabil­ity can be all that foreign government hackers need. In practical terms, homeowners who construct a fortress-like mansion can nonetheles­s find themselves victimized by an alarm system that was compromise­d before it was installed.

The most recent case targeting federal agencies involved Russian government hackers who are believed to have inserted malicious code into popular software that monitors computer networks of businesses and government­s. That product is made by a Texas-based company called SolarWinds that has thousands of customers in the federal government and private sector.

The malware gave hackers remote access to the networks of multiple agencies. Among those known to have been affected are the department­s of Commerce, Treasury and Justice.

For hackers, the business model of directly targeting a supply chain is sensible.

“If you want to breach 30 companies on Wall Street, why breach 30 companies on Wall Street (individual­ly) when you can go to the server — the warehouse, the cloud — where all those companies hold their data? It’s just smarter, more effective, more efficient to do that,” Evanina said.

Though President Donald Trump showed little personal interest in cybersecur­ity, even firing the head of the Department of Homeland Security’s cybersecur­ity agency just weeks before the Russian hack was revealed, President Joe Biden has said he will make it a priority and will impose costs on adversarie­s who carry out attacks.

?? JACQUELYN MARTIN/AP 2020 ?? Hackers are believed to have inserted malware into SolarWinds software. Above, the Justice Department building in Washington. The DOJ was affected.
JACQUELYN MARTIN/AP 2020 Hackers are believed to have inserted malware into SolarWinds software. Above, the Justice Department building in Washington. The DOJ was affected.

Newspapers in English

Newspapers from United States