by Pedro Victor

In June of 1982, at the height of the Cold War, a surveillance satellite from the United States detected a great explosion in Siberia. A brief inquiry revealed that the source of the blast identified by the satellite was a flaw in the Soviet-run Trans-Siberian pipeline. Shortly before that event, the KGB — the main intelligence agency of the Soviet Union — had completed a sophisticated operation that aimed to infiltrate a spy at a Canadian software development company to steal a copy of software, which would be used to manage the new pipeline.

The Soviets were not aware that the stolen software had been modified by the US Central Security Agency (CIA), which added some lines of code to the original software. Subsequently, the Soviets installed the stolen software in the Trans-Siberian pipeline management system and, shortly afterwards, flaws in compatibility between the software and the pipeline environment led to the blast that was detected by the North American satellite.

The spy responsible for stealing the software for the new pipeline was part of a KGB department charged with stealing US technology secrets in the 1970s and 1980s. The actions of this department were revealed to the CIA by a double agent named Vladimir Vetrov, known by the codename Farewell. The information provided by the agent made the CIA realize that it could fool the Russians by inserting modified codes into the software which their opponents stole.

The case in the Trans-Siberian gas pipeline is one of the most commented attacks on the supply chain, in which an attacker seeks to flank the supply network of organizations for the purpose of finding vulnerabilities that may allow internal access to their target.

We will look at some threats that abuse the supply chain and also address some of the consequences faced by organizations that have been victims of this type of attack.

The supply chain is a system of activities involved in handling, distributing, manufacturing, storing and transporting, in order to transfer resources from a supplier to the end consumer.

Supply-Chain Attack is a medium used to harm a given organization by handling less secure elements in its supply chain. This type of attack can be directed at any institution that has a chain of suppliers, and can involve any industry, from the financial to the governmental.

An investigation conducted by Verizon shows that 92% of the security incidents analyzed occurred among small businesses that provide services to larger institutions.

Muhammad Ali Nasir, of the National University of Emerging Sciences (FAST — Pakistan), analyzed the risks involved in the supply chain in the study called Potential cyber-attacks against global oil supply chain. According to Nasir, “due to globalization, decentralization and outsourcing of supply chains, the number of vulnerable points has also increased. A cyber attack against a supply chain is the most effective way to damage many linked entities at the same time”.

In the morning of June 27th, news broke out about the large-scale dissemination of NotPetya malware, which, in turn, was responsible for compromising several companies from different countries.

An investigation by Talos (Cisco’s Threat Intelligence team) revealed that the attack was directed at companies that were part of the supply chain of M.E.Doc software — the leading accounting software used by companies in Ukraine — which had been infected by NotPetya malware and which was built into the system update.

The full collaboration of M.E.Doc in providing access to the internal systems and log files of this incident was an important factor for Talos to conclude the investigation process and to find the source of the problem. The survey revealed that the attackers maintained persistent access to the M.E.Doc servers through a file (medoc_online.php) that provided remote access to the company’s servers.

Talos’s research found that criminals gained access to the MEDoc update server, incorporated a sneaky, sophisticated backdoor into system update packages, and eventually forced a malicious software update, which did not require user interaction, as demonstrated in the timeline developed by the company (see below).

Image reproduced from Talos Intelligence

The result of this operation with a high level of execution planning was the commitment of several companies spread around the world.

Throughout history, several companies have been targeted by Supply-Chain Attacks. According to the SANS Institute’s WhitePaper from September 2015 — Combatting Cyber Risks in the Sypply Chain — 80% of violations can originate from attacks on the supply chain. The following cases precede the attacks with NotPetya.

Telebots

In December 2016, ESET researchers identified specific attacks against large financial sector companies in Ukraine.

In the period from January to March 2017, the Telebots group managed to compromise another Ukrainian software company. Through VPN connections, it was possible for criminals to gain access to the internal networks of various financial institutions that were part of the company’s supply chain.

Features of Telebots:

o Uses malware KillDisk to replace or delete files on the victim’s machine;

o Is classified as a Wiper threat;

o Displays the image of Mr. Robot TV show, with the phrase: We are F Society;

o In its latest version started to encrypt files;

o There is a threat release for Linux systems

Researchers also believe that the Telebots are the same group responsible for conducting attacks against the Ukrainian power industry in December 2015 and January 2016, known as BlackEnergy.

The Target Corporation incident

At the end of 2013, retailer Target Corporation suffered an attack that resulted in the exposure of more than 40 million payment cards.

According to journalist Bryan Krebs, criminals gained access to Target’s internal network after stealing access credentials from Fazio Mechanical Services, a supplier of HVAC (Heating, Ventilation and Air Conditioning) refrigeration systems, which was part of Target’s supply chain.

Fazio Mechanical Services issued a statement on February 6th, 2014, in which it clarifies and justifies some points regarding the incident involving Target, among them: 1) Fazio’s connection with Target was exclusively for electronic billing, contract submission and project management; 2) the company does not monitor Target HVAC systems; 3) the IT system and security measures are in full compliance with industry practices; and 4) as well as Target, Fazio was a victim of a sophisticated cyber attack.

The fragmentation of the production chain is an advantage of many companies around the world. It is the result of technological progress, the need to reduce manufacturing costs, the globalization of the economy and reforms in trade and exports in many countries.

From the perspective of information security, supply chains have characteristics that make their protection a challenge, since, in many cases, Supply Chains are spread around the world, many of them are complex, interconnected through several logical links, their routes are not regular and have different layers of outsourcing.

Former White House official and information security advisor Richard A. Clarke envisioned a catastrophic collapse scenario if the supply chain that provides the resources necessary to maintain the infrastructure of US systems was damaged.

1. Refineries and pipelines would explode;

2. Failures in computer systems would impede the electronic communication of the American Armed Forces;

3. Traffic control systems would collapse;

4. Goods transport and underground transport systems would cease to function;

5. Data from financial systems would be encrypted without being able to return to their original state;

6. The power grid would be damaged;

7. The control of orbiting satellites of planet Earth would be lost.

Although the hypothetical scenario described by Clarke has apocalyptic characteristics, in which any society in the world would disintegrate, it serves, in moderation, to reflect on how much the security of the companies is interdependent and that, no matter the size of a corporation, it can suffer attacks originating from companies of the most varied sizes, but connected to its supply chain.

The most common recommendations against supply chain attacks are, among others: deploying a security plan in the supply chain, keeping systems up-to-date, and deploying processes that monitor systems and partner compliance with information security. These guidelines do not exhaust all the possibilities and paths that can be followed when it comes to maintaining the supply chain safe, but they are the basis for their protection.