Diary Of An Ongoing Software Supply Chain Cyberattack

On June 15, 2022, a shadowy hacker group known as TA551 set its sights on a company that offers training and certification to IT administrators, system administrators and other vital IT personnel working for some of the world’s largest corporations.

From there it was game on. The hackers replaced the original exam simulator software of the education company infecting the IT personnel who used it. Then, via use of stealer malware that was undetectable to antivirus software, they began seizing IT personnel’s user identities, giving them a back door into the networks of dozens of the education site’s corporate clients, including Fortune 500 companies. The corporate clients, in turn, unknowingly infected their suppliers.

TA551, a financially motivated threat actor which has targeted the energy, healthcare, finance, manufacturing and insurance sectors in the Americas, Europe, and Asia. ·  next sold tailored access to other hacker groups.

Total victim count is difficult to pin down but is estimated to be around 15,000 with an estimated 7.5 million lines of data stolen, says Berk Albayrak, a veteran analyst at Prodaft, the cyber threat intelligence company that discovered the breach.  He is scheduled to outline the supply chain attack – which has not previously been reported in the press- at a conference on supply chain security hosted by Switzerland’s Federal Institute of Technology’s (EPFL) Center For Digital Trust on March 30 in Lausanne.

When active connections from infected victims are analyzed, most had been ongoing for more than six months. No one suspected anything until Prodaft’s stealth mode monitoring of the group exposed the hack.

Even now, there are still multiple active connections to victim’s computers that haven’t been shut down, says Albayrak, who is shielding the names of the companies impacted because the attack is still in progress. “This is still an ongoing attack. It is hard to calculate the damage,” he says.

The TA 551 supply chain attack demonstrates how an attacker can distribute its malicious code to thousands, if not millions, of victims. Supply chain attacks target software updates, build processes, and source code by seeking vulnerabilities and unsecure servers and protocols. This enables hackers to alter source code and hide malware or backdoors in the updates or design builds. Because these apps and updates are released by trusted vendors the malicious code is unleashed  without either the victims or the vendors being aware of the compromise or vulnerability.

A Growing Number Of Attacks

SolarWinds was the hack that put software supply chain attacks on the map. Its IT monitoring system, Orion, which is used by over 30,000 organizations including federal, state, and local agencies, was compromised by hackers.. This enabled the hackers to deliver backdoor malware in an Orion software update.Not only could the hackers access and imitate the victims’ accounts/users, the malware could also access system files and work among SolarWinds’ legitimate activities, going undetected even by antivirus software. The attackers went unnoticed from when they first hacked into the system in September 2019 to the first public discovery/report of the attack in December 2020.

Overall, approximately 18,000 customers installed the malicious Orion update, allowing the hackers to unleash even more malware and havoc on their systems. Those affected included Cisco, Deloitte, Intel, Microsoft, FireEye, and various government departments, including the U.S. government agency Homeland Security.

Several other supply chain hacks made the headlines in 2021.The Colonial Pipeline attack, which took place in May of that year  and shut key conduits delivering fuel from Gulf Coast refineries to major East Coast markets in the U.S, was due to the breach of a single password.

In July 2021, IT management software company, Kaseya, announced it had been the victim of a supply chain attack after hackers exploited a vulnerability in its vector signal analysis (VSA) software. The attackers, later revealed to be a group known as REvil, used the vulnerability to carry out ransomware attacks on multiple managed service providers  and their customers. By hacking the VSA server, which is used to deploy various automated IT tasks and software, hackers were able to infiltrate systems via a fake update. Kaseya estimated that 60 of its customers and a further 1,500 businesses were affected by the attack.

At the end of 2021, Log4j, a Java-based logging utility, was victim to a vulnerability called Log4Shell that put millions of computers at risk. Built by the Apache Software Foundation, Log4j is open-source software that records diagnostic information about systems and communicates them to users and administrators. The Log4Shell vulnerability meant attackers could break into systems, steal data, uncover logins and passwords, and unleash further malicious software. Since Log4j is used by a large number of individuals and organizations, it put an extraordinary amount of users and businesses at risk of attack.

While incidents like the SolarWinds hack and its fallout showed how wrong things can go when attackers infiltrate commonly used software, the Log4j meltdown speaks more to how widely the effects of a single flaw can be felt if it sits in a foundational piece of code that is incorporated into a lot of software.

The number of supply chain attacks is expected to continue to rise. Attack techniques used to compromise suppliers in supply chains include not only software vulnerabilities and malware infections but also social engineering, brute force attacks, exploitation of configuration problems and modifying hardware, according to a report by the European Union’s Agency for Cybersecurity.

The Evolution of Malware

A major reason for the increase in financially motivated supply chain attacks is that it is getting easier and less risky to launch them, says Ege Balci, a Prodaft Threat Intelligence Division Manager, who is scheduled to speak at the Lausanne conference about the evolving malware industry.

“By using Malware-as-a-Service (MaaS) platforms less skilled cybercriminals are transferring the risk of maintaining infrastructure to more professional hacker groups,” says Balci.

Take the case of Malware-as-a-Service (MaaS) offerings such as Raccoon Stealer. The service allows would be hackers to lease software and hardware for carrying out cyberattacks. Owners of MaaS servers provide paid access to a botnet that

distributes malware. Typically, clients of such services are offered a personal account through which to control the attack, as well as technical support, says Balci.

The Genesis Market, an invitation-only market online shop that sells login credentials, cookies and device fingerprints that help hackers thwart security protocols, is another example of how much easier it is for hacking groups to gain access to corporate networks.

Cyber criminals are also using anonymity browsers to steal credentials. These browsers allow criminals to import everything on a users’ browser. “From that point on there is no way of differentiating the attacker and the victim,” says Balci. “They can get onto every kind of platform and every kind of account held by the victim, bypassing all the safeguards.”

Mitigation Strategies

The sophisticated tools in current use by cyber criminals make it hard to prevent attacks, he says. “There is no magic formula to prevent this but having some sort of threat intelligence service or consulting will help a lot as will employee awareness training.”

The ongoing TA551 supply chain attack should serve as a warning to companies, says Balci. “There are very similar cases happening daily. This shows the level of unpreparedness of corporations and just how vulnerable they are.”

This article is content that would normally only be available to subscribers. Sign up for a four-week free trial to see what you have been missing.


About the author

Jennifer L. Schenker

Jennifer L. Schenker, an award-winning journalist, has been covering the global tech industry from Europe since 1985, working full-time, at various points in her career for the Wall Street Journal Europe, Time Magazine, International Herald Tribune, Red Herring and BusinessWeek. She is currently the editor-in-chief of The Innovator, an English-language global publication about the digital transformation of business. Jennifer was voted one of the 50 most inspiring women in technology in Europe in 2015 and 2016 and was named by Forbes Magazine in 2018 as one of the 30 women leaders disrupting tech in France. She has been a World Economic Forum Tech Pioneers judge for 20 years. She lives in Paris and has dual U.S. and French citizenship.