Avast Blog_ViewPoints: The Supply Chain; aka the Hacker Food Chain

[harlan4096]

Could you be the weak link for hackers?

In December 2018, Chinese nationals Zhu Hua and Zhang Shilong were indicted by the US Department of Justice for involvement with the APT10 hacking group. The APT epithet stands for Advanced Persistent Threat. It is used to specify an elite hacking group, usually one that operates with the endorsement of, or direct employment by, a nation state. These are not run-of-the-mill cybercriminals.

One of the charges levied against Hua and Shilong was involvement in what the Justice Department called the ‘MSP Theft Campaign’. This is better known among security researchers as Cloud Hopper. Managed Service Providers (MSPs) were compromised, but they were not the primary targets – it was their customers that APT10 wished to hack. The MSPs were phished, and their customers’ credentials stolen; giving the APT10 group unhindered access to the real targets via the MSPs’ authorized access details.

This type of attack is known as a ‘supply chain attack’. The true target isn’t attacked directly. Rather its generally less well-defended supply chain – in this case the MSPs – are targeted first.

You may ask yourself, what have state-level hackers and international cyber-espionage to do with me? Possibly – but not necessarily – nothing. But it is important to understand the concept of supply chain attacks and how they could affect us. We all need to know where in the hackers’ food chain we live.

What is a supply chain?

A supply chain is a chain of dependencies in goods or services. If I shop at Wal-Mart, Wal-Mart is in my supply chain. This chain links back to the wholesalers who supply Wal-Mart, and further back to the farmers who supply the wholesalers.

In the tech world, my computer supplier is part of my supply chain – and the manufacturers who develop the parts put together by my supplier are parts of its supply chain. The same applies to software: the developer is part of my chain, and the producers of open source routines used by the developer are parts of its supply chain.

In the other direction, I am part of the supply chain for the company that employs me. That company is part of the supply chain for other companies it supplies. If I sell things, I am the supply chain for my customers.

And so it goes on. Society is a complex interaction of complex supply chains. The problem is that in today’s connected world, suppliers often have online access to the supplied.

In general, the bigger the company, the greater the attraction for hackers – but at the same time, the better it will be defended. This doesn’t happen with the smaller companies that make up the supply chain. Smaller companies are less well-defended; and individuals with their home computers are the poorest defended of all.

Without realizing it, I could be part of a supply chain that links from me to my employer, and from my employer to some of the largest – or even critical – organizations in the country.  

Continue Reading