How SolarWinds still affects supply chain threats, two years later

Our quarterly Security Talks series brings together experts from Google Cloud Security teams and the industry to share information on our latest security products, innovations and best practices. Below is an introduction to Mandiant’s Security Talks presentation on Dec. 7, Mandiant Tales from the Front Lines: Activate Cyber Defenses Against Supply Chain Compromise.

The discovery in December 2020 of the SolarWinds supply chain compromise, a global computer intrusion campaign, caused organizations and security leaders to completely reassess their Cyber Threat Profiles, risk assessments, and defensive postures. It was a rare, watershed event that savvy security leaders and IT decision makers have been using to improve how security teams protect systems, networks, and data across industries and sectors, especially critical infrastructure. Two years later, we’re looking back at the security incident, what we’ve learned, and how it continues to drive change across security teams and organizations.

The SolarWinds compromise leveraged access to the software maker’s Orion business software in order to distribute a malicious update containing malware. Mandiant has since attributed this operation to APT29, a Russia-based espionage group assessed to be sponsored by the Russian Foreign Intelligence Service (SVR). This operation afforded APT29 with unparalleled access to an estimated 18,000 global organizations for follow-on targeting based on the attacker’s discretion and collection priorities. 

While the security industry has yet to see anything that rivals the scale and scope of the SolarWinds compromise since it was discovered, a recent Google Cloud research report on software supply chain security found that there’s been a sharp increase in software supply chain attacks across nearly every sector. 

Mandiant analysis identified supply chain compromise as the second-most prevalent initial infection vector in 2021. When the initial infection vector was identified, supply chain compromise accounted for 17% of intrusions in 2021 compared to less than 1% of intrusions in 2020. Further, 86% of supply chain compromise intrusions in 2021 were related to the SolarWinds breach.

Since 2020, Mandiant has also observed an increase in financially-motivated threat actors targeting the software supply chain. These actors compromised popular software packages and even mobile applications in order to deploy ransomware, cryptocurrency miners, and banking trojans. In one case, malicious code was inserted into a popular package, prompting the U.S. Cybersecurity and Infrastructure Agency (CISA) to issue an alert about the compromise. 

Mitigation recommendations

The discovery of the SolarWinds incident resulted in increased global attention around supply chain compromise threats. Government authorities and technology organizations have responded with several initiatives, legislation, and studies seeking to reduce software supply chain and software dependency risk. Although these initiatives may make it more difficult for threat actors to conduct these operations, organizations should also take steps to mitigate supply chain threats. 

Mandiant suggests that organizations contemplate applying multiple layers of security policies, plans, and solutions to maximize opportunities to provide early threat detection and prevent an anomaly or compromise stemming from the supply chain. This guidance is aligned with best practices Google Cloud has recommended for organizations to improve their software supply chain security.

Mandiant has also provided the following additional recommendations for organizations to consider more generally: 

• Establish a vendor vetting process to evaluate vendor security practices before deploying hardware or software.

• Create a change control process and board for all enterprise hardware and software changes, which could include a centralized IT or IT security managed process for downloading, testing, and pushing updates to users.

• Use an advanced endpoint security solution, such as an endpoint detection and response (EDR), to detect malicious behavior when a tainted software package is downloaded and executed.

• Ensure proper logging and monitoring is in place between the software, hardware, and the internet.

• Implement the software and hardware using network segmentation with minimal access to the internet.

• Enact employee training programs and policies to encourage security best practices, including security audits of code in development.

Next steps

You can watch the Google Cloud Security Talks presentation on SolarWinds and the current state of supply chain threats here. You can learn more about Google Cloud’s solutions to help improve software supply chain security here, or for more general inquiries, please contact us or reach out to your sales representative to learn how we can assist.