On Software Supply Chains

by King Ables

The attack on the SolarWinds network management platform Orion allowed a bad actor to inject malware into the product prior to it being signed and deployed to customers during a regular software update. This highlights a largely underappreciated but universal truth of the Internet age--almost all businesses depend on a software supply chain they do not control. This attack affected many IT infrastructures across all industries.

Here at atsec, we do not use any of the tools involved, so we have no concerns about this attack related to our local network, our data, or the data we maintain for our customers. However, a number of other companies, like health insurance providers, possess some of our data in order to provide their services. We have asked all of our suppliers to provide what they can about their own assessment of whether they could have been affected and if any of our data might have been compromised.

We received quite the variety of responses.

Not everyone has a definitive answer yet. This is understandable as long as they are actively investigating. This is an evolving issue and even an initial assessment may change over time as new information is discovered.

Some responses were simply unhelpful, like a link to a web page describing the vendor's standard privacy and security policies. The page contained no information regarding this specific attack and therefore did not answer our question.

So far, only one vendor answered with enough detail that we are confident they have performed a substantive analysis. We will continue to query the others until we can have this same confidence in their answers.

Any organization using the SolarWinds Orion network management platform in the last 16 months should be actively performing an analysis to determine if and how their environment may have been affected. This would start with current network traffic monitoring and audit log analysis going back to at least October 2019, when the attack is currently believed to have started. These activities should continue until the software is updated and the backdoor is verified to have been eliminated.