Why Supply-Chain Cybercrime Has Become Deadlier Than Ever

Everyone on this planet connected directly or indirectly to the Internet are under cyberattacks. We have become desensitized to the constant barrage of damage caused by cybercrime. Victims of cyberattacks suffer regulatory, financial, identity, and reputational consequences. For example, be especially cautious with the online retailers and auction sites that sell counterfeit products. The Business Insider published an article outlining steps to spot and avoid counterfeit merchandise.

Cybercrime has evolved deadlier adopting techniques that use the human, the weakest link, as a vector of their attacks. State-sponsored hackers have changed their methods to infiltrate supply-chain suppliers to computer and network device manufacturers.

As the world becomes dependent on the Internet driving the cyber economy for their thriving businesses and personal use, securing the global Internet to new and escalating risks is crucial to our survival.

Supply-Chain Hijacking

In 2018, Bloomberg Businessweek reported that Supermicro system boards commonly used by Apple, Amazon and others were allegedly implanted with a tiny inconspicuous chip that allowed Chinese hackers to spy deep inside networks. The report caused vehement denials from the technology giants, including the National Security Agency (NSA).
The denials were debunked at the CS3sthlm security conference where researcher Monta Elkins demonstrated a proof-of-concept of the hardware hack to a CISCO firewall. Actors with a shoestring budget can arm themselves with a solder gun, microscope, and a chip that enables access to the serial port. Once the chip installed, hackers create administrator network accounts, alter firewall rules, logging, and detection notifications.

Ironically, in 2016, Juniper confirmed leaked NSA exploits affecting its firewall devices. The spyware was linked to cyber weapon tools creating by the NSA to target vulnerable network hardware that also affected devices manufactured by CISCO and Fortinet. These tools were corroborated by the Edward Snowden documents confirming they were owned and used by the NSA.

Since 2013, Lenevo and other Chinese computer and network device manufacturers were banned by global spy agencies fearing espionage. The hardware exploits become more profound where attackers can also infiltrate today’s popular voting machines used in elections globally. In a voting study conducted by Interos illustrated links between hijacked hardware components in the supply chain that can have severe implications in the upcoming United States 2020 elections.

What can have deadly consequences if the supply chain hacking infiltrated into the medical device manufactures. The medical industry is a dramatically escalating and lucrative target for Cybercriminals.

Hardware Cyberattacks & Acts of War

The evolving targets of cybercrime data theft are not the only consequence organizations can suffer. Along with the stolen data, cybercriminals also attack and destroy critical internal systems rendering them useless. These attacks target programmable hardware, the core of most systems, and the Internet-of-things. Sprectre and Meltdown are good examples affecting vulnerable processors in computer systems, mobile devices, and the cloud.

In September 2019, the United States executed cyberattacks against Iran in retaliation for Iran’s attacks on Saudi Arabia’s oil facilities. The operation affected physical hardware with the intent of disrupting their ability to spread propaganda. Earlier in June, the United States launched a secret attack that took out a critical Iranian database used to target shipping traffic in the Persian Gulf. Also, the wide-spread attack crippled vital military communication networks and computers, forcing them offline. Reportedly, their military systems have not fully recovered from the cyberattacks.

On October 28, 2019, a massive state-sponsored attack took down thousands of Georgian web sites and television broadcasters throughout the country.  The Russian government was allegedly behind the attack due to its scale and sophistication. The attack was a repeat of the 2008 cyber-attack when the Russo-Georgian conflict escalated, the Georgian government, banking, and media were taken offline.

The Russian government first denied their involvement, but did state individuals within Russia might have been involved. Subsequent reports implicated the Russian foreign military intelligence agency (GRU) and federal security service (FSB) as having played a crucial role in coordinating and organizing the attacks.

Supply Chain Risks

Supply chain hijacking is more than a technological knowledge endeavor, it also involves people and processes. The attacker will exploit all possible avenues making it less about exploiting the technology but feasting on human error. The risks cover a staggering amount of terrain to consider. The following are some of the risk areas:

  1. Third-party vendors with physical or remote access to premises and information systems.
  2. Purchased hardware and software from suppliers.
  3. Counterfeit hardware and software purchased from suppliers.
  4. Improper security vetting of security practices from suppliers.
  5. Third-party physical hardware storage and data storage, on-premises, and in the cloud.
  6. Supplier security vulnerabilities in both physical and information systems.

Supply Chain Best Practices

Physical and information security should be the same without distinction. Hackers will seek to compromise both the hardware-software to gain access.  Several organizations I’ve worked with employ detailed questionnaires and third-party audit attestation that emphasize supplier controls. These questionnaires are tailored and go beyond the Service Organization Control (SOC 2) certifications.  In addition to the SOC2, the questionnaire helps them ascertain the risks. The following are a few standard practices:

  • Mandatory security requirements included in every Request for Proposal (RFP) and in contract with the right to audit.
  • Employ tight manufacturing controls for hardware components.
  • Third-party suppliers’ components are physically inspected and scanned before assembly.
  • Source code is obtained for all COTS software purchases or made available for scanning.
  • Use Open source code obtained from approved vendor repositories.
  •  Employ physical controls, automation, and testing to reduce human intervention in the manufacturing processes.
  • Security (encryption) authentication between the hardware and software are in place.
  •  Employ component identity for each assembly linking the product serial number to each internal component, sourcing information up to the sealed packaging container.
  • Employ a tight chain of custody regimen with shippers monitoring every aspect en route to its final destination.
  • Employ detailed asset controls documenting identifying information when received and during disposal. 
  • Service vendor access controls must be tight. All vendors must be authorized, escorted, and monitored. Vendors must be limited to a select group without access to control systems and minimal software access.
  • Hardware and software must include tamper-proof mechanisms to thwart human intervention.

Additional In-Use Network Best Practices
  •  Apply regular updates to applications and the host operating system to ensure protection against known vulnerabilities.
  • Establish a disaster recovery policy that includes a backup of a “known good” version of the relevant server.
  • Establish a change management policy to enable monitoring for alterations to servable content with a File integrity system.
  • Utilize user input validation to restrict local and remote file inclusion vulnerabilities.
  • Implement a least-privileges policy on all web applications to:
    • Reduce hackers' ability to escalate privileges or pivot laterally to other hosts.
    • Control creation and execution of files inside particular directories.
  • Deploy a demilitarized zone (DMZ) between the web-facing systems and corporate network. Limiting the interaction and logging traffic between the two provides a method to identify possible malicious activity.
  • Ensure a secure configuration of web apps where all unnecessary services and ports are disabled. All necessary services and ports should be restricted where feasible. Utilize whitelisting or blocking external access to administration panels and not using default login credentials.
  • Employ a reverse proxy or alternative service to restrict accessible URL paths to known legitimate ones.
  • Use TLS 1.3 encryption with data in motion and at rest between all apps and servers.
  • Ensure proper network segmentation between web, application, and database zones. Sandbox, development, staging and production environments must be separated into distinct subnets from the firewall.
  • Tight access controls and change management must be employed and monitored.
  • Conduct a regular system and application vulnerability scan to establish areas of risk.
  • Deploy a web application firewall, and conduct regular virus signature checks, application fuzzing, code reviews, and server network analysis.
  • Deploy and monitor intrusion and prevention systems (IDS/IPS) to thwart external and internal attacks against network devices and applications.