The recently discovered attack on US technology firm SolarWinds has highlighted the need for effective supplier due diligence.
The many challenges of the last year included a considerable rise in cybercrime. As reported in Treasury Today, 2020 saw the arrival of a new selection of scamming strategies by cybercriminals, such as posing as contact tracers, or purporting to help people apply for government benefits. At the same time, existing techniques have continued to become more sophisticated, as illustrated by the assault on IT firm company SolarWinds – an attack so significant that it has been described as the ‘Pearl Harbour of American IT’.
Anatomy of a cyberattack
As has been widely reported, malicious code was added to the company’s network management product Orion, which is used by 33,000 customers – including Fortune 500 firms and the US government. When SolarWinds issued software updates, the code was installed by 18,000 of its clients, which were then vulnerable to attacks themselves.
By the time the attack was reported in December 2020, it had gone undetected for many months – and in fact, SolarWinds has subsequently found that the hackers had first accessed their business in September 2019. While some will never know whether or not they were targeted, the known victims of the attack include the US Treasury Department, the Pentagon, Microsoft, a hospital and a university.
What makes this attack particularly significant is the way the effects have been felt not just by SolarWinds, but by its customers – and this is a model that is likely to be emulated by other cybercriminals in the future. “It’s clear we are in a new world where attackers not only go after their direct targets as they have in the past, but they also go after key technology infrastructure providers including the largest, most trusted, and widely used solutions in the market,” comments Brady Cale, Chief Technology Officer at Taulia.
Inadequate defences
Joseph Krull, Senior Analyst at Aite Group, points out that there were a number of reports of significant shortcomings in SolarWinds’ defences before the attack: “They were using passwords that weren’t particularly safe, like ‘solarwinds123’; they didn’t have a security programme in place; they didn’t have a product security officer,” he says. “One of their employees felt so strongly about this, he was telling the management it was just a matter of time before they had a successful attack. That got no traction, so he resigned and left the company. This tells me their internal controls left a lot to be desired.”
Equally, Krull notes that the companies that were giving SolarWinds access to their networks may not have carried out adequate due diligence on their arrangements. “It was a very sophisticated attack, and it could have happened to anybody,” he says. “But when you peel this back and see government agencies and large enterprises, you have to ask where they were in their contracting process. Did they ask questions like, “Do you have a chief information security officer? Do you have a security programme? And how do you handle password management?’”
Supply chain risk
It’s clear that the SolarWinds attack has underlined the need for robust supplier due diligence. As Krull notes, “If criminals can come in through your supply chain partners, you’re going to have a huge attack surface that you have very little control over.”
“For treasurers, it highlights the importance of reviewing and auditing their partners and infrastructure,” says Taulia’s Cale. “As the manager of their company’s financial assets, they must also consider their supply chain risk and guard against the potential that a key technology provider could become compromised.”
This should include reviewing the security credentials of existing vendors, even if a relationship has been in place for a number of years. “Another thing is that we need to raise the level of awareness of people that work in procurement departments about current threats, attacks and trends – and the questions they need to be asking as part of any new technology acquisition,” concludes Krull.