Cybersecurity truisms have long been described in simple terms of trust: Beware email attachments from unfamiliar sources, and don’t hand over credentials to a fraudulent website. But increasingly, sophisticated hackers are undermining that basic sense of trust and raising a paranoia-inducing question: What if the legitimate hardware and software that makes up your network has been compromised at the source?
That insidious and increasingly common form of hacking is known as a “supply chain attack,” a technique in which an adversary slips malicious code or even a malicious component into a trusted piece of software or hardware. By compromising a single supplier, spies or saboteurs can hijack its distribution systems to turn any application they sell, any software update they push out, even the physical equipment they ship to customers, into Trojan horses. With one well-placed intrusion, they can create a springboard to the networks of a supplier’s customers—sometimes numbering hundreds or even thousands of victims.
“Supply chain attacks are scary because they’re really hard to deal with, and because they make it clear you’re trusting a whole ecology,” says Nick Weaver, a security researcher at UC Berkeley’s International Computer Science Institute. “You’re trusting every vendor whose code is on your machine, and you’re trusting every vendor’s vendor.”
The severity of the supply chain threat was demonstrated on a massive scale last December, when it was revealed that Russian hackers—later identified as working for the country’s foreign intelligence service, known as the SVR—had hacked the software firm SolarWinds and planted malicious code in its IT management tool Orion, allowing access to as many as 18,000 networks that used that application around the world. The SVR used that foothold to burrow deep into the networks of at least nine US federal agencies, including NASA, the State Department, the Department of Defense, and the Department of Justice.
But as shocking as that spy operation was, SolarWinds wasn’t unique. Serious supply chain attacks have…