One of the most irritating things about the SolarWinds attack[1] was that the Russian crack went unnoticed from March to December 2020. During that time, the Russian government's [2]SolarWinds[3] hack was opening the door to the secrets of numerous top American government agencies and tech companies. Even now, we're still trying to get our minds around just how widespread and bad the SolarWinds cracks[4] were.
The root causes of this crack were a dangerous set of software supply-chain failures. It's too late for anything but damage control for SolarWinds, but The Linux Foundation[5] has found several lessons to make sure your programs, whether open source or proprietary, avoid SolarWinds-style disasters.
Also: Best VPNs[6] • Best security keys[7]
David A. Wheeler, the Linux Foundation's Director of Open Source Supply Chain Security, explained that in the Orion attack that the malicious code was inserted into Orion by subverting the program's build environment. This is the process in which a program is compiled from source code to the binary executable program deployed by end-users. In this case, the security company CrowdStrike[8] worked out that the Sunspot malware watched the build server for build commands and silently replaced some of Orion's source code files with malware[9].
By entering the program before it's even properly a program, this hack makes most conventional security advice useless. For example,
-
"Only install signed versions" doesn't help because this software was signed.
-
"Update your software to the latest version" doesn't help because the updated software was the subverted one.
-
"Monitor software behavior" eventually detected the problem, but the attack was quite stealthy and was only detected after