Software Supply Chain Security: Learning from SolarWinds

SolarWinds: A Turning Point in the Cyber Threat Landscape

The SolarWinds attack of 2020 permanently changed the cybersecurity world. An advanced state-sponsored threat actor (later identified as Cozy Bear / APT29) infiltrated the build infrastructure of IT monitoring vendor SolarWinds and planted malware in a regular software update. The result: over 18,000 customers installed the compromised update, opening a backdoor to attackers in their networks – including US federal agencies, Microsoft, Intel, and numerous Fortune 500 companies.

The shocking part: none of the victims had done anything wrong. They had installed a regular update from a reputable, certified vendor. That was exactly the plan.

The Evolution of Supply Chain Attacks

SolarWinds was spectacular, but not an isolated case. Kaseya VSA (2021), 3CX (2023), MOVEit (2023) – the list of targeted attacks on software supply chains grows longer. The pattern is similar: a trusted provider or widely used software is compromised, and the actual attack proceeds via the trust placed in that provider.

For companies, this means: even if your own infrastructure is technically secure, attackers can enter via trusted software or services that were properly procured and installed.

What Can Actually Be Protected

Complete protection against supply chain attacks is illusory – you cannot develop all software yourself. But risk reduction is possible and follows some clear principles:

Software Bill of Materials (SBOM): Companies should know, for their critical systems, which software components (including open-source dependencies) are used. An SBOM enables rapid identification of affected systems when a vulnerability in a component becomes known.

Continuous Monitoring of Software Vendors: The external attack surface and security level of critical software suppliers should be continuously monitored – not only at onboarding. Compromise indicators of an important vendor can be an early warning signal.

Network Segmentation and Zero Trust: Even if a trusted system is compromised, network segmentation and zero trust principles should limit its ability to move laterally in the network.

Anomaly Detection After Updates: After critical software updates, increased attention should be paid to unusual network communications or activities of the updated system.

Note: This article is for general information. Specific measures for your environment should be discussed with qualified security experts.