History has a way of repeating itself. A well-orchestrated and successful attack against the global IT supply chain worked well once, so why not execute the same playbook again?
That’s exactly what played out at the end of 2021 with Microsoft’s report about the group behind the SolarWinds attack, Nobelium. The group is now targeting technology resellers, hoping to leverage downstream access to thousands of small businesses that outsource elements of their IT. Microsoft identified more than 22,000 attacks targeting more than 600 unique cloud service resellers and technology providers between July and October 2021. The scope of the impact of an attack like this may not be fully known for weeks or months. For each service provider that was successfully compromised, the adversaries could have potentially gained access to the systems and sensitive data contained within their entire customer base.
As we saw with SolarWinds, just over a year ago, and Kaseya in July of last year, IT supply chain attacks are fast becoming a favorite approach of adversaries because they can leverage the vulnerabilities of a single vendor to create destructive ripple effects across thousands of organizations within a matter of hours, with threats potentially staying latent for years.
The increasing occurrence of these IT supply chain attacks is reflective of one of the more concerning cybersecurity trends: When a sophisticated national-state-level attack is successful, there’s a democratization of these tactics, and other eCrime groups can piggyback off the state-sponsored exploits to activate ransomware or other monetization techniques against vulnerable businesses everywhere.
Because they lack security tools and talent, many of those businesses impacted by an IT supply chain attack won’t even know they’ve been compromised to begin with until the payment demands come through or the adversary practically owns their systems. As compromised victims in the supply chain are uncovered, time, money, and reputations take a hit as leaders are forced to reckon with the long-term consequences of a cyber incident. It’s an unfair game for small businesses that are suddenly pitted against sophisticated nation-state tactics targeting the security posture of a vendor they thought they could trust.
In the shadow of ransomware, supply chain attacks are currently underrepresented in the national dialogue, but they have quietly become the next big wave of insidious attacks against American businesses. We must elevate the conversation and take more tangible actions to protect ourselves, and each other, against this expanding threat tactic.
GOVERNMENT ACTION AND COORDINATION BEYOND RANSOMWARE ARE NEEDED
For its part, the federal government’s multiple taskforces, global summits, and overall commitment to cybersecurity is commendable. But the focus remains too much on the ransomware agenda, and as a result, other issues like supply chain vulnerabilities lose attention and resources. Without significant focus on uncovering and remediating the impacted systems in a supply chain attack, more threat actors—nation-states and eCrime groups alike—will exploit these vulnerabilities long-term, with small businesses paying the price. The federal government can leverage its purchasing power, too, demanding better security practices and standards that can secure the IT supply chain from its suppliers in the private sector. This can create a network effect of improved security standards among the technologies that power businesses—large and small, public and private, throughout the tech supply chain. From diplomatic measures to sanctions and negotiating leverage, the administration has a number of tools at its disposal to define a line in the sand before another piece of critical infrastructure gets taken down or thousands of small and mid-size businesses—the backbone of the U.S. economy—get brought to their knees by a cyber attack.
BUSINESSES RESPONSIBLE FOR IMPROVING SECURITY POSTURE
Businesses, too, have a responsibility to look beyond the ransomware threat to understand their security posture at large, especially given that the latest Nobelium attack leveraged well-known techniques like password spraying and social engineering attacks like phishing. Going back to the fundamentals and implementing best-practice security standards like multi-factor authentication and password managers would go a long way in preventing attackers from getting in to begin with. So, too, would establishing more scrutiny among the dozens of technology vendors that most businesses deploy, all of which get some level of access to our tech.
The technology supply chain is a complex, nebulous web of vendors, applications, and tools, and no matter how many Patch Tuesdays we have, the big vulnerabilities are here to stay.
Technology companies can demand better from themselves and their vendors, while the U.S. government can use its international megaphone to draw attention to the IT supply chain risks we all face. Through these combined efforts, we have the opportunity to gain an advantage against this emerging and vexing attack tactic so that we aren’t held ransom by it.
Nick Schneider is President and CEO of Arctic Wolf, the market leader in security operations.