Supply Chain Hacks

There are four basic ways that malicious code can be introduced:

  1. Programmer or Administrator with legitimate access
  2. Payload delivered by a user action
  3. Direct attack on the hosting server through a security weakness
  4. A “Supply Chain” attack on a company providing software or ‘library’ code to other companies.


1: About twenty years ago when a company was planning to dismiss a malcontent employee, I was asked to review all the code that they had written recently. I found code that would be accessible as a URL and would anonymously edit a back-end database used to populate their public website.

2: Users opening an email attachment, visiting a website, or as reputed for Stuxnet a USB flash drive that had been left in the facility’s car park.

3: During August & September 2018 the British Airways website payment section contained code that harvested customer payment data. The injected code was written specifically to route credit card information to a website in a domain that could erroneously be thought to belong to British Airways.

4: The hack is carried out on a provider’s system: either hacking the code itself at the provider, or a hack re-routing download requests to another server. Press reports about M.E.Doc in 2017 make it clear this was a supply chain attack, but the attack vector used is not specified.

Talos Intelligence speculate that an ‘insider’ introduced malicious code into CCleaner V5.33: the executable file had been signed with the supplier’s genuine certificate, meaning this hack was not re-routing download requests to another server.

Ian Thornton-Trump in his article Stop Thinking Nationally About Cybercrime puts forward the suggestion that economic hacking may be deliberately cross-border. This is like the ‘County Lines’ gangs in England, where criminals traded across the boundaries of the British police structure. This slowed down the police detecting and acting against the gangs’ activities. A similar motivation may be behind cybercriminal activity. Perhaps in response to this some countries, notably China, Iran and Russia, have started implementing the ability to isolate their national infrastructures. Curiously these are the same countries mentioned in an EDPACS artcile by Ian, The Politics of Cyber, as nation state 'Advanced Persistent Threat (APT)' actors.

Complacency that Apple machines had not been targeted ended when Apple’s Mac and iOS platforms were hit with XcodeGhost in 2015 through an infected version of an Apple development environment. Developers unwittingly incorporated a contaminated version of the code into their app, allowing the insertion of malicious code. Over 4000 apps were reported to have been infected.

The traditional protection against these attacks has been to deploy anti-virus software to each end point looking for the known signatures of an attack vector stored in a library, with the library being updated on a daily basis. That approach has two significant failings:

  1. Somebody has already experienced that attack, perhaps many thousand people.
  2. The vendor needs to catalogue the new attack and make the ‘inoculation’ available.

As an analogy, just as Alan Turing built the ‘Bombe’ machine to crack the Enigma codes on the basis that only a cleverer machine could defeat another machine, then artificial intelligence machine‑learning is needed to react to zero-hour machine attacks. This is where the likes of Darktrace and their competitors come into play: detecting truly novel behaviour in sub‑second time‑frames and stopping further action until there has been a human review.

View comments on this article on LinkedIn: