The US Treasury cyber attack is yet another example that absolutely anyone can be the victim of a cyber attack, and another warning that cyber attackers are becoming ever more sophisticated. This time, it was a sophisticated supply chain attack that allowed the US Treasury, and at least one other US government department or agency to become the victim of a cyber attack.
It is suspected that just like the cyber attack on FireEye last week, the US Treasury cyber attack was the work of a nation state actor. Both victims said that they believed (although as yet not confirmed), that the Russian government was behind the attacks, an accusation that the Russian government denies.
The National Security Council met on Saturday to discuss this attack, due to concerns that this is just one part of a larger cyber espionage campaign targeting the US government, and that the US Treasury cyber attack is just the tip of the iceberg. It appears that the attack itself took place several months ago although it was only discovered now, and it will take time for the full scope to be understood, causing chaos and confusion for a while to come.
The US Treasury cyber attack appears to have been a supply chain attack. Supply chain attacks target suppliers who are seen to be less secure, or have a specific vulnerability as a way of getting a back door into their ultimate targets.
The attackers were able to exploit a vulnerability in a program called Orion from SolarWinds, a US government supplier. The attackers used this vulnerability to add malicious code to legitimate software updates, which were then uploaded to the government’s networks. This in turn gave the attackers access within the agencies’ networks, including employees’ email accounts. In order to stay below the radar and avoid triggering the affected organisations’ own cybersecurity teams, the infected update was programmed to remain dormant for two weeks after it was installed, and then to only upload small quantities of data, so that it looked like regular Orion traffic.
The affected updates took place between March and June 2020, enabling the attackers to monitor emails at the US Treasury, and the National Telecommunications and Information Administration (NITA) over the last few months.
Some sources close to the investigation have suggested that both the FireEye attack that was announced last week, and the US Treasury cyber attack were connected as part of the same cyber espionage campaign. Access to both organisations was gained by leveraging a back door in a SolarWinds software update, suggesting that they are indeed connected.
FireEye is a prominent cybersecurity company, with several governments (not just the US Government) as clients. The attack on FireEye can now be seen as an attack on a crucial supplier, which makes all their clients vulnerable to a supply chain attack.
The attacks on both FireEye and the US Treasury were extremely sophisticated, which is why they are concerned that they are down to nation state activity. If indeed the two attacks are just the opening salvos in a wider operation, it could take years before the full impact is understood.
Every organisation everywhere uses multiple suppliers in order to manage their IT. However each supplier poses some level of risk for their clients, which is then actualised when a malicious actor uses that supplier to attack their victim. Supply chain attacks are on the increase as malicious actors develop new, ever more sophisticated ways to attack their victims.
The risk from a supplier, partner, or vendor is known as third party risk. Many organisations blindly trust their suppliers, and don’t carry out third party risk assessments to ensure that their suppliers have implemented the same level of cybersecurity controls that they do, which in turn increases their exposure to risk. However third party risk is a growing emphasis on suppliers in regulations such as GDPR, standards such as ISO 27001, and audit frameworks including SOC2, which is putting it firmly on the map.
Incidents such as this latest US Treasury cyber attack show the importance of managing third party risk including trusted software vendors. Some research has shown that evaluating the security and privacy policies of suppliers and other third parties, or requiring suppliers to conform to information security standards can significantly reduce the risk of a cybersecurity breach. The National Cyber Security Centre have even published a set of guidance on how to secure the supply chain, and promote ways to ensure that a supplier doesn’t inadvertently let an attacker in.
In addition, each organisation should have a robust software update process that enables DevOps teams to test and verify software updates from third parties and monitor for emergency patches following on from an update.
The final lesson of this incident is that every organisation’s cybersecurity posture is only as secure as their weakest supplier, as the US Treasury just discovered.
Stay safe.