American cybersecurity company FireEye announced on December 13 that it had discovered a global hacking attack in progress. Victims have been identified in North America, Europe, Asia, the Middle East and other regions, and even FireEye itself has been compromised. The hackers behind this attack first hacked into SolarWinds, an Internet and software management company based in Austin, Texas, and they implanted its backdoor software into Orion, the latest version of SolarWinds’ enterprise network management product. Then they used the mechanism of automatic software update of Orion to distribute backdoor software to the intranets of the corporate clients of SolarWinds.

Among the 275,000 corporate clients of SolarWinds, about 18,000 have updated their software Orion since March this year. These potential victims include more than 400 Fortune 500 companies (such as Microsoft), as well as several heavyweight U.S. government organizations, including the Department of Defense, the Department of Treasury, the Department of Energy, the Department of Homeland Security, the Department of Justice, the Department of Commerce, etc., and even the National Security Agency is not immune. Although there is no concrete and conclusive evidence, FireEye and the intelligence departments preliminarily determined that the hackers who carried out this attack should be related to the Foreign Intelligence Service of the Russian Federation (SVR) based on the techniques of using backdoor softwares to scout out the environment and to hack into the system.

As both the scope of the hack and the length of the lurking time are unprecedented, it is no wonder that Senator Dick Durbin of Illinois was so angry that he called this attack “virtually a declaration of war” against the U.S.

Although the U.S. intelligence departments believe that the purpose of the SolarWinds hacking mainly seems to be gathering intelligence instead of collapsing the ICT systems of corporates, only by wiping out all the changes done to the IT system of these corporates by this attack could its threat be completely eliminated. However, because the attack against SolarWinds has been lurking for up to nine months, uninstalling the software Orion alone is not enough to completely remove all its side effects. In fact, for most of the victims, it is a great challenge to identify the changes done to the intranet, operation systems, and applications in the past months by the SolarWinds malware by simply investigating the network host and the internet logs. Coupled with the difficulty of coordination and shortage of manpower caused by COVID-19, this task is even more challenging.

The cybersecurity incident of SolarWinds proves that the technical feasibility and power of attacking supply chains. The attacker first collects all the softwares used by the targeted corporates, identifies the weak links with poorer security protection from the software suppliers, hacks into these links to implant malware into their software products, and finally uses the update mechanism of the normal version to send the malware directly into targeted corporates.

Orion is not the first vector of attacks against software supply chain, and it will not be the last. In particular, because many corporate softwares use open-source softwares extensively, and the management of open-source softwares is generally laxer than that of commercial softwares, experts predict that open-source softwares are likely to become the main vehicle for future attacks on software supply chains.

The U.S. departments of national security must have begun to design ways to remedy the attacks on software supply chain, including scanning for hidden backdoor softwares still undetected in the software supply chain of first-level government agencies. They must be assessing or even strengthening the internal cybersecurity measures of companies on the supply chain. It is necessary for Taiwan’s agencies of national security to conduct similar inspections and assessments, because the software supply chain of Taiwan’s first-level government agencies is not exactly the same as the software supply chain of the U.S. government agencies.

In addition, high-tech intensive corporates such as TSMC, Largan, and MediaTek should also be aware of attacks on software supply chain and formulate countermeasures as soon as possible, because the biggest lesson we have learned from the cybersecurity incident of SolarWinds is that an unobtrusive commercial application such as a file format conversion tool could possibly conceal a backdoor program to leak valuable know-how and to sabotage the corporates that protect the country.

(Chiueh Tzi-Cker, General Director of the Information and Communications Research Laboratories of ITRI)

Click here for Chinese version

We invite you to join the conversation by submitting columns to our opinion section: [email protected]

Apple Daily reserves the right to refuse, abridge, alter or edit guest opinion columns for accuracy, length, clarity, and style, and the right to withdraw and withhold columns based on the discretion of our editorial page editors.

The opinions of the writers do not necessarily reflect the opinions of the editorial board.

---------------------------------

Apple Daily’s all-new English Edition is now available on the mobile app: bit.ly/2yMMfQE

To download the latest version,

iOS: bit.ly/AD_iOS

Android: bit.ly/AD_android

Or search Appledaily in App Store or Google Play