SUNBURST, Supply Chain Attacks and How to Detect Them

February 26, 2021

  • The stealth and sophistication of the recent SolarWinds Orion SUNBURST supply chain attack was alarming, in no uncertain terms, but supply chain attacks in general are as well-known as they are formidable.
  • This guest post from Sri Sundaralingam of ExtraHop identifies some common supply chain hack elements and explains how to discover and stop them in the early stages.




What is a supply chain attack?

A supply chain attack is a particular type of hack that seeks to gain access to protected information or damage an organization by targeting less secure elements in the supply chain, such as third-party vendors or software.


Supply chain attacks have been used against organizations and government entities for many years. From the high-profile 2010 Stuxnet attack on Iranian nuclear centrifuge control systems to the 2020 SolarWinds SUNBURST backdoor Trojan attack, these highly sophisticated hacks have caused substantial losses and/or setbacks for the victims, as well as significant reputational damage.


Successful, highly damaging supply chain attacks often have many of the following elements in common:


  • Meticulous preparation: Attackers usually surveil target organizations for long periods or put considerable effort into developing custom code.
  • 'Legitimate' entry: Attackers can use credentials stolen from a legitimate supplier or Trojanized updates to trusted third-party software used within the organization's IT infrastructure to gain access. Stuxnet was so stealthy that there is still considerable debate around whether defenses were breached via an infected USB stick or installation of other equipment.
  • Remote command and control: Once trusted IT assets are compromised, adversaries can take additional remote actions to execute the attack. In the SolarWinds SUNBURST attack, a backdoor Trojan enabled nation-state actors to provide additional directions from a command and control infrastructure to carry out the attack.
  • Stealthy movement: By moving laterally and using tactics like leveraging PowerShell capabilities already embedded into operating systems, attackers can “live off the land” inside an organization's network and IT infrastructure, increasing dwell time and their odds of success.
  • Post-execution coverup: Once attackers have achieved their goals of data exfiltration, disruption or destruction, they often attempt to remove malicious software and digital footprints, such as logs, to help evade or delay discovery and attribution.



What makes us vulnerable?

Over the past 10 years, much has changed across the IT landscape, yet many basic security challenges stubbornly remain. Cloud adoption has outpaced even some optimistic predictions as organizations choose to outsource their data centers to improve focus on core business initiatives. As opportunities for businesses to innovate in the cloud continue to unfold, they create an equally large number of new targets for attackers to pursue.


As cloud adoption has increased, DevOps has also found ways to accelerate the deployment and development of cloud workloads. In the process, they may neglect security and expose potential attacker footholds.


Finally, widespread use of open source software has ushered in a new era of ease and cost reduction in cloud application development while also increasing the risk of vulnerabilities (unintentional or otherwise) in cloud workloads. Wisely, cloud providers have chosen to “share” responsibility for security in the cloud with their customers.



The SolarWinds SUNBURST exploit

We don't yet fully know the origin and number of attackers involved in the SolarWinds SUNBURST exploit. But we do know their techniques were highly sophisticated, involved a number of steps, used both customized software and tools existing in the environment and resulted in data exfiltration and other damage. More troubling is the nine months or more of dwell time the attackers enjoyed. However, there’s a silver lining. Each step in a multistep supply chain attack offers an opportunity to discover and stop intruders.



Tools that can't be detected

What defenders need is a sophisticated and stealthy security toolset that can adapt and keep pace with the latest attack techniques. Fortunately for them, those solutions are within reach.


For example, network detection and response (NDR) tools tap into the network to mirror packets that can give defenders a covert vantage point and unassailable data source.


Dissecting packets to extract metrics reveals a wealth of useful information, including all connected devices and device types within a data center or cloud environment, attacker lateral movements, new connections, abnormal user behavior, data breach attempts and ransomware.



Look to network data

We know that the SUNBURST attack had both an extensive scope and long dwell time, which increased the potential for damage exponentially. Because of this, organizations are relearning just how important it is to have months of logs and network activity readily available so they can determine how and when they were hacked.


We don’t know what the next big supply chain attack will be or when it will take place, but with heightened awareness and tools that offer network visibility and historical data, organizations have a fighting chance against advanced threats.

Sri Sundaralingam
Sri Sundaralingam | VP of Security and Cloud Solutions | ExtraHop
Sri is the VP of Security and Cloud Solutions at ExtraHop. An accomplished and dedicated product and marketing executive, he brings years of experience in information security, cloud security, data networking, and enterprise software markets.