Supply chain vulnerability continues to plague our collective cyber security.
Since news broke of the SolarWinds supply chain attack, the magnitude of its scope now includes the confidential information of several high-level government agencies and offices have been compromised, most recently that of the U.S. Department of Justice, as well as several major technology companies including Microsoft, Intel, and Cisco. As government agencies and companies both scramble to investigate and mitigate the damage caused by the hack, it’s a near certainty that more affected parties will be identified in the months to come.
A recent revelation from a former SolarWinds employee has thus far garnered less news coverage, but sheds more light on how threat actors may have compromised the company in the first place. According to Ian Thornton-Trump, who worked for SolarWinds as a security adviser in 2017, then-CEO Kevin Thompson decided to relocate several of its engineering offices to satellite offices in Eastern Europe and to scale back security practices in an effort to cut costs and boost profits. Thornton-Trump resigned from the company shortly after warning that a data breach was “inevitable.”
The decision on the part of SolarWinds to expand its own supply chain to Eastern Europe is widely speculated to have been the entry point for what are assumed to be Russian threat actors. Russian intelligence services and hacking groups alike are known to have a presence in several of its former satellite states, and security personnel such as Thornton-Trump had warned that the company was in the crosshairs of hackers since at least 2015.
Even discounting the specific geography of its satellite offices, the decision to relocate the development of potentially sensitive software while cutting security measures effectively managed to increase the company’s attackable surface, provide less oversight, and increase the likelihood of insider threats.
In addition to the obvious lesson for businesses and organizations about sacrificing security in the name of cost-cutting in the short term, SolarWinds stands as a defining example of third-party, supply chain vulnerability. Any company needs to consider the security not just of its own internal systems, but to the practices of its vendors. As seen in the case of Solarwinds and its 18,000 customers, failing to do so can lead to a cascade of data breaches and compromises.