Instead of having to hack into those individual customers, the attackers just compromised one vendor and let the supply chain take care of the rest, giving them access to the data and networks of its customers.
While the company’s original estimate of those that could have been affected by the corrupted update was around 18,000, SolarWinds CEO Sudhakar Ramakrishna more recently said on an earnings call that the estimate had dropped drastically, to about 100 private sector companies and nine federal agencies.
The federal agencies include the departments of Homeland Security, State, Justice, Commerce and Treasury, plus NASA, the FAA, National Institutes of Health and National Nuclear Security Administration.
It even affected FireEye, a company that helps organizations defend against and respond to breaches. The company announced in a Dec. 13, 2020 blog post that it had discovered the “global intrusion campaign,” allegedly by Russia, that had been going on at least since March 2020. The company also acknowledged it had been a victim itself. Indeed, if FireEye had not gone public, those other thousands of victims might still be unaware that they had been compromised.
This isn’t a new problem—security experts have been warning for years that supply chain vulnerabilities can exponentially increase the damage hackers can cause. But even with ongoing headlines confirming the validity of those warnings, there hasn’t been much substantive improvement in supply chain security over the past decade.
Senate Intelligence Committee Chairman Mark Warner (D-VA) acknowledged as much at a hearing on the SolarWinds hack in February 2021. The attack “highlighted a number of lingering issues that we’ve ignored for too long,” he said.
The good news is that improvement is possible, even without Congress getting involved. The ways to harden supply chain security are well-established. They also work, if organizations implement them.
So how to avoid being that weak link? Read on.
In today’s interconnected world, most organizations are both supply chain consumers and producers. As in, they consume materials, products, and services from various third parties like SolarWinds, and they also produce products and services for other organizations or for the public.
But the security emphasis is a bit different for each role. An earlier post on this blog site focused on security recommendations for consumers in the supply chain. This one will focus on producers.