Sun, Jul 26, 2020

Deep impact: States and software supply chain attacks

Feature by Trey Herr, June Lee, Will Loomis, and Stewart Scott

Related Experts: Trey Herr, Stewart Scott, Will Loomis,

China Cybersecurity Iran Korea Russia Technology & Innovation

States have used software supply chain attacks to great effect. Hijacked updates have routinely delivered the most crippling state-backed attacks, thanks in part to a continued failure to secure the code-signing process. While concerns about the real-world ramifications of attacks on firmwareIoT devices, and industrial systems are warranted, these are far from novel threats. Stuxnet and other incidents have had physical impacts as early as 2012. Several of these incidents, like NotPetya and the Equifax data breach in 2017, impacted millions of users, showcasing the immense potential scale of software supply chain attacks and their strategic utility for states. For Russia, these attacks have meant access to foreign critical infrastructure, while for China, they have facilitated a massive and multifaceted espionage effort. This section discusses trends in known state software supply chain attacks supported by publicly reported attribution, focused on four actors: Russia, China, Iran, and North Korea. The data in this report also include incidents linked to Egypt, India, the United States, and Vietnam, for a total of 27 distinct attacks.  

NotPetya (2017)
NotPetya was a seemingly indiscriminate cyberattack that wreaked havoc on global supply chains by rendering infected computers useless and wiping them clean. Attributed to the Russian hacking group Sandworm Team, the attack targeted Ukraine, but unleashed a self-replicating infection that quickly spread around the world. NotPetya in its initial stages was a software supply chain attack, as attackers compromised an update for the MEDoc software, a Ukranian tax preparation program, to spread ransomware which utilized exploits stolen from the US intelligence community. NotPetya infected vast numbers of machines, disrupting operations for multinational corporations such as Maersk, FedEx, and Merck & Co., resulting in over $10 billion in damages and making it one of the costliest cyberattacks in history.  


Four of the five attacks attributed to Russia in our dataset involved initial insertion of malicious code into a third-party app, made possible by gaining access to an account with editing permissions. Russian actors were responsible for the 2017 NotPetya attack, one of the most destructive software supply chain attacks to date. After inserting a malicious payload, Russia relied on diverse means to distribute this code, including hijacked updates, a worm component, phishing, and a hardware component. Notably, every attack involved multiple vectors for distribution.

Dragonfly 2.0 Attacks (2015)
DragonFly 2.0, which started in early 2015 and was named after the group behind the series of attacks, used a variety of vectors including spear phishing emails inviting victims to New Years’ Eve parties and contaminated Adobe flash updates to obtain network credentials from targets in the energy sector. It is clear from the structure of the attack that the goal was to both learn how energy facilities operate and gain persistent access to operational systems. Launched by Russian APT Energetic Bear, attackers were able to gain operational control of interfaces that power company engineers use to send commands to equipment like circuit breakers, giving them the ability to stop the flow of electricity into homes and businesses in the United States. The attacks stole network credentials and allowed for later installation of malware, relying mostly on off-the-shelf malware, making attribution difficult throughout the prolonged campaign.  

Interestingly, three of the five attacks involved downstream targets in the energy sector. For instance, the 2015 Dragonfly 2.0 attack relied on a variety of vectors—including spear-phishing, watering-hole attack-style attacks, and Trojanized software updates—to obtain network credentials from targets in the US, Swiss, and Turkish energy sectors. Launched by Russian APT Energetic Bear, attackers were able to gain operational control of interfaces that power company engineers use to send commands to equipment like circuit breakers, giving them the ability to stop the flow of electricity into homes and businesses in the United States. Russian attackers similarly compromised Ukraine’s power grid in 2015, interrupting service to 225,000 customers in a complex infrastructure attack that involved spear phishing, credential stealing, malware insertion, distributed denial-of-service (DDoS) attacks on call centers, and firmware attacks. Russia has repeatedly engaged in software supply chain attacks against Ukrainian entities or programs since 2015, in line with its practice of testing cyber war tactics in Ukraine.


Of the state actors featured in the dataset, China has conducted the most software supply chain attacks (eleven) and demonstrated the greatest level of consistency in attack and distribution methods. The earliest case attributed to Chinese actors was in 2011, suggesting that China has been targeting software supply chains for longer than other state actors. Most Chinese attacks relied on a third-party application for their initial insertion point; in the majority of cases, the affected code was found in an update server. Chinese attacks were notably consistent in the method of distribution: eight of eleven cases relied on hijacked updates to distribute malicious code, while several cases relied on supply chain service providers. For instance, in the 2017 Kingslayer attack, Chinese attackers (likely APT31) targeted a Windows IT admin application to include malicious code under a valid signature, which could spread either by updating or downloading the application. The attack compromised a huge list of higher-education institutions, military organizations, governments, banks, IT and telecom providers, and other enterprises, as the malware installed a secondary package that could up- and download files, execute programs, and run arbitrary shell commands. With respect to impact, Chinese attacks tended to be of vast scale, gaining access to the personal data of millions of users, or impacting hundreds of companies.

CCleaner (2017 & 2019)
In September 2017, attackers gained access to an essential developer account for the CCleaner software, a popular computer clean-up tool. Attackers used this account to insert malicious software into the cleaner that sent system specifics back to an attacker command and control server. The attack initially infected over two million computers and downloaded a second, stealthier payload onto selected systems at 20 tech companies. The attack began several weeks after antivirus firm Avast acquired Piriform; Avast did not do its proper due diligence during the acquisition and left its customers vulnerable. Researchers speculate that the attack may be attributable to Chinese group APT17. While the exact contents of the second (and a possible third) payload are unknown, it is related to the ShadowPad malware platform.  Attackers again stole credentials to gain privileges on Avast’s network in September 2019, targeting CCleaner. This time, however, the questionable network activity was spotted by Microsoft’s Advanced Threat Analytics service. In response, Avast preemptively halted an upcoming update, renewed its code signing certificates to protect future updates, and warned users. The aim of the attack was seemingly to steal intellectual property from users.  

Chinese software supply attacks are aimed more at corporate entities; eight attacks had companies and dependent users as their downstream targets. Given that all Chinese attacks resulted (or could have resulted) in data extraction, this data is consistent with continuing US concerns about Chinese intellectual property theft and economic espionage. The 2020 GoldenSpy malware notably targeted a multinational tech vendor servicing Western defense sectors by requiring it to install tax-paying software embedded with sophisticated malware while operating in China. We found that the greatest number of attacks occurred in 2017. The timing may have been influenced by the conflicting, but often hostile, moves taken against China by the US administration in 2017.

ShadowHammer (2018)
The ShadowHammer attack occurred in 2018 when a threat actor—possibly linked to the China-backed group that conducted the similar ShadowPad attack in 2017, called Barium—obtained two legitimate ASUS certificates and used them to push updates laced with malicious code to nearly a million machines. By stealing these certificates, the attackers were able to hide in the ASUS update system and spread to new devices. The malware searched for 600 individual computers, using the machine’s MAC addresses, and downloaded a second payload to the selected devices. The attack was also linked to at least six other incidents in which sensitive certificates were stolen from companies and used to spread malicious code that collected user information.  

North Korea

The dataset features one software supply chain attack likely linked to North Korea—the 2013 compromise of two file-sharing services’ auto-update features in order to launch a DDoS attack on South Korean government websites. The attack was launched by the cyber adversary responsible for the “DarkSeoul” attack on South Korean banking and media in March 2013 and is consistent with other attacks by the group in the past. This group has previously launched cyberattacks on days of historical significance in the United States and South Korea. The attack featured in the dataset occurred on June 25, the anniversary of North Korea’s invasion of South Korea in 1950, which marked the start of the Korean War. In early 2013, North Korea also conducted an underground nuclear missile test and, in response to tightening sanctions by the United Nations in March, cut off communications with South Korea, threatened to launch a preemptive nuclear strike against the United States and South Korea, and pledged to restart its Yongbyon nuclear plant to provide material for its weapons program. The high-profile nature of the software attack on June 25 and the extensive damage it caused may accordingly be seen in the context of North Korea’s escalation of military provocations at the time. 

Technical elements of the attack are also indicative of methods attributed to the adversary and North Korea more generally. The attack targeted a third-party app and was distributed through a hijacked software update. The dropped malware also allowed for remote code execution and established a botnet to carry out a DDoS attack, consistent with North Korea’s history of launching DDoS attacks (e.g., by North Korean APT Hidden Cobra). It is important to note that the adversary’s targeting of IP addresses that serve as DNS name servers demonstrates careful research into the target in order to maximize damage, an approach also seen in the March 2013 “DarkSeoul” attack.


The dataset features one software supply chain attack weakly attributed to Iran—the 2020 Kwampirs malware campaign targeting companies in the industrial control systems sector, especially the energy industry. The attack initially targeted supply chain software providers through exploitation of default passwords. The attackers distributed the Kwampirs Remote Access Trojan (RAT) through supply chain software vendors who would install infected devices on the target’s network. The attack resulted, or likely resulted, in back door access and data extraction. The Kwampirs RAT was previously deployed in 2018 by a group called Orangeworm in similar attacks against supply chain software companies in the healthcare sector, and different entities feeding into the healthcare supply chain. While these attacks and the current campaign have not been directly attributed to Iran, the Kwampirs malware was found to contain numerous similarities to the Shamoon data-wiping malware used by Iranian-linked APT33, and also employed in multiple attacks against the energy sector. FireEye, a California-based cybersecurity firm, noted that targeting of organizations involved in energy and petrochemicals reflects a common interest and continuing thread among suspected Iranian threat groups. Previous reports suggest Iranian actors have targeted energy sector organizations headquartered in the United States, Saudi Arabia, and South Korea in an attempt to gain insight into regional rivals and potential competitors.

Other State Attacks

Other state actors have also engaged in software supply chain attacks; this dataset features incidents attributed to the United States, India, Egypt, and Vietnam. Stuxnet—widely attributed to the United States and Israel—was one of the earliest examples to use stolen certificates and potentially one of a handful to leverage a hardware vector to compromise. Two campaigns were attributed to the US-attributed Equation Group (PassFreely and EquationDrug & GrayFish). In 2013, PassFreely enabled bypass of the authentication process of Oracle Database servers and access to SWIFT (Society for Worldwide Interbank Financial Telecommunication) money transfer authentication. In 2015, the EquationDrug & GrayFish programs used versions of nls_933w.dll to communicate with a C&C server to flash malicious copies of firmware onto a device’s hard disk drive, infecting 500 devices. Both attacks involved a supply chain service provider as a distribution vector.

Flame (2010)
Flame is a highly sophisticated espionage toolkit that infected systems throughout the Middle East, particularly in Iran, as part of a state-sponsored cyberespionage operation. Attackers used a sophisticated mathematical attack to generate fake Microsoft security certificates, allowing them to impersonate a Microsoft software update and spread to hundreds of machines. The malware was primarily intended to spy on users of infected systems and exfiltrate vast amounts of sensitive data, including microphone recordings, documents, password information, and screenshots. Flame was likely developed by a nation state and could exfiltrate data via USB devices and local networks. In 2012, Flame was believed to have infected approximately 1000 systems across diverse industries.

The United States is generally distinguished from several of the other states highlighted here by formulation and operation of due process constraints on how attacks like these are developed, targeted, and deployed. One former senior US national security official reflected of Stuxnet, “If a government were going to do something like this, a responsible government, then it would have to go through a bureaucracy, a clearance process… It just says lawyers all over it”. The operational constraints imposed by democratic accountability and the trend toward what Peter Berkowitz labeled the “lawyering of war” offer some meaningiful distance between the United States and several of the other states on this list, though those distinctions blur where legal protections are ignored or interpreted beyond the bounds of accepted logic.

The attacks attributed to the other three states notably all involved attacker applications uploaded to a proprietary app store, leading to data extraction and often remote code execution. A January 2020 attack involving three malicious apps on Google Play Store was linked to APT SideWinder (previously attributed to India). The attack exploited a serious zero-day vulnerability through which the CallCam, Camero, and File CryptManager apps, once downloaded, could extract extensive machine data, including screenshots, and send them to a C&C server. The Egyptian government is believed to have been involved in a hacking campaign against Egyptian human rights activists, in which attackers crafted applications that used OAuth Phishing, generating fake requests for access to Google, Yahoo, Hotmail, and Outlook accounts before stealing emails. The attack also led to 5,000 downloads of malicious mobile apps from the Google Play Store that would enable attackers to view call log information. Finally attackers connected to Vietnam-linked APT 32 (OceanLotus), used a variety of techniques to sneak malware into various browser cleanup apps on the Google Play Store; the attack sent device specs to a C&C server, allowing the attackers to download custom-designed malware onto target devices, likely for espionage. Three attacks from 2011 and 2012 (Duqu, Flame, Adobe code signing hack) have not been attributed to a particular state, but likely involved state actors based on the highly sophisticated and targeted nature of the attacks. These attacks relied on a variety of attack and distribution vectors, and were some of the most destructive attacks in the dataset.

As discussed in the introduction, this report’s findings constitute a lower bound on the total population of supply chain attacks and disclosures. The dataset’s contents are shaped by the limitations of publicly available research on software supply chain security—both in the scope and geographical focus of research efforts. Accordingly, the dataset focuses on incidents involving state actors traditionally covered in cybersecurity research, namely, China and Russia, North Korea, and Iran while understating those from countries in the developing world and Global South.

Cyber Statecraft Initiative

Working at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

Read More