The December 2020 Sunburst campaign revealed the supply chain as a new attack vector that will continue to be exploited, says cybersecurity multinational McAfee senior VP and chief technology officer Steve Grobman.
Sunburst exploited the SolarWinds Orion information technology (IT) monitoring and management software platform and used it to distribute a malicious software backdoor, called Sunburst, to dozens of that company’s customers, including several high-profile US government agencies.
McAfee believes the discovery of the SolarWinds-Sunburst campaign will expose attack techniques that other malicious actors around the world will seek to duplicate this year and beyond, says Grobman.
"This SolarWinds-Sunburst campaign is the first major supply chain attack of its kind and represents a shift in tactics where nation-State threat actors have employed a new weapon for cyber-espionage, and the use of a supply chain attack has changed the way we need to consider defence against cyberattacks," he highlights.
The Sunburst supply chain attack operated at the scale of a worm such as WannaCry in 2017, combined with the precision and lethality of the 2014 Sony Pictures or 2015 US government Office of Personnel Management attacks. Within hours of its discovery, the magnitude of the campaign became clear to organisations responsible for US national security, economic competitiveness and even consumer privacy and security.
"The campaign also impacted private companies. Unlike government networks, which store classified information on isolated networks, private organisations often have critical intellectual property (IP) on networks with access to the Internet. Exactly what IP or private data on employees has been stolen will be difficult to determine, and the full extent of the theft may never be known."
This type of attack also poses a threat to individuals and their families, given that in today’s highly interconnected homes, a breach of consumer electronics companies can result in attackers using their access to smart appliances such as televisions, virtual assistants and smart phones to steal their information or act as a gateway to attack businesses while users are working remotely from home, says Grobman.
"What makes this type of attack so dangerous is that it uses trusted software to bypass cyberdefences, infiltrate victim organisations with the backdoor and allow the attacker to take any number of secondary steps. This could involve stealing data, destroying data, holding critical systems for ransom, orchestrating system malfunctions that result in kinetic damage, or simply implanting additional malicious content throughout the organisation to stay in control even after the initial threat appears to have passed," he says.
The Sunburst espionage campaign is expected to spark a proliferation in copycat supply chain attacks of this kind, says Grobman.
SOCIAL MEDIA ATTACK VECTORS
McAfee has also observed sophisticated threat actors increasingly using social networks, such as LinkedIn, WhatsApp, Facebook and Twitter, to engage and develop relationships with and then compromise corporate employees, through whom they compromise the broader enterprises, says McAfee chief scientist Raj Samani.
"McAfee predicts that threat actors will seek to broaden the use of social media attack vectors this year and beyond for a variety of reasons. Just as organisations engage potential customers on social platforms by gathering information, developing specialised content and conducting targeted interactions with customers, malicious actors can similarly use these platform attributes to target high-value victims with a deeper level of engagement," he explains.
Similar tactics were used in the July 2020 Operation North Star campaign. McAfee Advanced Threat Research discovered a series of malicious documents containing job postings taken from leading aerospace and defence contractors to be used as lures, in a very targeted fashion.
"Malicious actors have used the social network platforms in broad-scope schemes to perpetrate relatively low-level criminal scams. However, prominent threat actors and groups, such as APT34, Charming Kitten, Threat Group-2889 and others, have been identified using these platforms for higher-value, more targeted campaigns on the strength of the medium’s capacity to enable customised content for specific types of victims."
The Operations North Star campaign showed how lax social media privacy controls, ease of development and use of fake LinkedIn user accounts and job descriptions could be used to lure and attack defence sector employees. Additionally, individual employees engage with social networks in a capacity that straddles their professional and personal lives, emphasises Samani.
"While enterprises assert security controls over corporate-issued devices and place restrictions on how consumer devices access corporate IT assets, user activity on social network platforms is not monitored or controlled in the same way. Social media messaging is not the first cyberattack vector of concern for the corporate security operations centre. McAfee foresees this social network platform vector becoming more common this year and beyond, particularly among the most advanced actors," concludes Samani.