Cybersecurity truisms have long been described in simple terms of trust: Beware email attachments from unfamiliar sources, and don’t hand over credentials to a fraudulent website. But increasingly, sophisticated hackers are undermining that basic sense of trust and raising a paranoia-inducing question: What if the legitimate hardware and software that makes up your network has been compromised at the source?
That insidious and increasingly common form of hacking is known as a “supply chain attack,” a technique in which an adversary slips malicious code or even a malicious component into a trusted piece of software or hardware. By compromising a single supplier, spies or saboteurs can hijack its distribution systems to turn any application they sell, any software update they push out, even the physical equipment they ship to customers, into Trojan horses. With one well-placed intrusion, they can create a springboard to the networks of a supplier’s customers—sometimes numbering hundreds or even thousands of victims.
“Supply chain attacks are scary because they’re really hard to deal with, and because they make it clear you’re trusting a whole ecology,” says Nick Weaver, a security researcher at UC Berkeley’s International Computer Science Institute. “You’re trusting every vendor whose code is on your machine, and you’re trusting every vendor’s vendor.”
The severity of the supply chain threat was demonstrated on a massive scale last December, when it was revealed that Russian hackers—later identified as working for the country’s foreign intelligence service, known as the SVR—had hacked the software firm SolarWinds and planted malicious code in its IT management tool Orion, allowing access to as many as 18,000 networks that used that application around the world. The SVR used that foothold to burrow deep into the networks of at least nine US federal agencies, including NASA, the State Department, the Department of Defense, and the Department of Justice.
But as shocking as that spy operation was, SolarWinds wasn’t unique. Serious supply chain attacks have hit companies around the world for years, both before and since Russia’s audacious campaign. Just last month, it was revealed that hackers had compromised a software development tool sold by a firm called CodeCov that gave the hackers access to hundreds of victims’ networks. A Chinese hacking group known as Barium carried out at least six supply chain attacks over the past five years, hiding malicious code in the software of computer maker Asus and in the hard-drive cleanup application CCleaner. In 2017 the Russian hackers known as Sandworm, part of the country’s GRU military intelligence service, hijacked the software updates of the Ukrainian accounting software MEDoc and used it to push out self-spreading, destructive code known as NotPetya, which ultimately inflicted $10 billion in damage worldwide—the costliest cyberattack in history.
In fact, supply chain attacks were first demonstrated around four decades ago, when Ken Thompson, one of the creators of the Unix operating system, wanted to see if he could hide a backdoor in Unix’s login function. Thompson didn’t merely plant a piece of malicious code that granted him the ability to log into any system. He built a compiler—a tool for turning readable source code into a machine-readable, executable program—that secretly placed the backdoor in the function when it was compiled. Then he went a step further and corrupted the compiler that compiled the compiler, so that even the source code of the user’s compiler wouldn’t have any obvious signs of tampering. “The moral is obvious,” Thompson wrote in a lecture explaining his demonstration in 1984. “You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.)”