RSA Conference 2022 |

A (Partial) History of Software Supply Chain Attacks

SolarWinds put supply chain hacks on everyone’s radar. But attacks on software supply chains aren’t new. In fact, they’re much older than you suspect! Here’s a (partial) history of supply chain attacks and compromises.

Paul Roberts
Blog Author

Paul Roberts,

Cyber Content Lead at ReversingLabs. Read More...

A (Partial) History of Software Supply Chain Attacks

The widespread campaign of software supply chain attacks that has become known as the “SolarWinds attack” began in 2020, and unofficially elevated software supply chain security to the top echelon of cyber risks to both government and the private sector. Subsequent events, like the emergence of the Log4Shell vulnerability in the Log4j2 open source library, underscored that software supply chain risk is for real.
But if you are thinking that software supply chain threats and attacks are a new problem plaguing software companies and their customers, you are wrong. In fact: software supply chain attacks have been with us for years — decades even — though they haven’t always demanded the kind of attention and response they are now receiving.

Here is a list of known software supply chain attacks, compiled from public records and reporting. This list is incomplete. First: it is likely that there have been supply chain attacks that have not been made public. Second, these attacks are ongoing, making any accounting of software supply chain attacks incomplete. Finally, opinions on what constitutes a software supply chain attack can differ from expert to expert. Others may use a more liberal definition of what is and is not a "supply chain" attack than we have and, thus, end up with a longer list of incidents.

[ Get key takeaways from a survey of 300+ security professionals on software security. Plus: Download the report: Flying Blind: Firms Struggle to Detect Software Supply Chain Attacks ]

A Chronology of Software Supply Chain Attacks

Below is a list of known (documented, reported) attacks involving compromises of software supply chains.

1982 Russia*

Trans-Siberian Pipeline

An alleged CIA operation to pass compromised ICS software to Russian intelligence results in a massive explosion in Siberia.
(Read more)

2013 South Korea

South Korean government and news websites

The attackers used the auto-update mechanism of a file-sharing and storage application known as SimDisk, which is widely used in South Korea. Another attack in conjunction with this took advantage of Songsari, which has been classified as a DDoS attack. (Read more)

2017 Canada

Altair Technologies (a cybersecurity software & services company)

Altair Technologies acknowledged that it was the victim of backdoor malware inserted into one of its products in 2015. If users at the company had downloaded/updated the software within a certain timeframe, their computer would become infected with malware. The attack is known as “Kingslayer.” (Read more)

2017 United Kingdom

CCleaner

Hackers used stolen credentials to infiltrate the network of the software firm Piriform, which makes the CCleaner performance optimization software and install malware platform called ShadowPad. The adversaries were eventually able to compromise development and distribution systems at Piriform and contaminate millions of CCleaner downloads with malicious software that was used to launch targeted attacks against a small number of targets. (Read more)

2017 Ukraine

ME Doc

A compromise of the software update infrastructure of Kiev-based ME Doc, a maker of financial software for businesses, resulted in the NotPetya wiper malware being delivered to more than 12,000 systems in Ukraine and 80 victim organizations in 64 countries. The incident was one of the costliest cyber attacks ever, causing an estimated $10 billion in damages. (Read more)

2018 Global

VestaCP

VestaCP is a control panel interface that system admins use to manage servers. Attackers compromised VestaCP servers and used the access to make malicious changes to an installer that was ready for download. (Read more)

2018 Global

Cryptocurrency users

A malicious package was put in the official repository for the Python programming language. When downloaded on a Windows server, the attacker is notified when the user makes a crypto payment, and that payment can get rerouted to the attacker. (Read more)

2018 United States

Copay (now known as BitPay)

Attackers injected malicious code into the Node.js Javascript software package. It impacted Copay, a cryptocurrency wallet developed using Javascript. CoPay relies on 3rd-party open-source libraries. The injection of malicious code in Copay’s software resulted in the theft of cryptocurrency from Copay wallets. (Read more)

2019 United States

Agma cryptocurrency

Attackers inserted a malicious package into the build chain for Agama via the npm package manager with the intent of stealing the wallet seeds and other login passphrases used within the Agama application. (Read more)

2019 Taiwan

ASUSTeK (Shadow Hammer)

A trojanized ASUS Live Updater file (setup.exe) which contained a digital signature of ASUSTeK Computer Inc was used to target a list of 600 targets (identified by unique MAC addresses) globally. Downloaded files that appeared to be benign actually had malware features. The digital signature (ASUSTeK Computer Inc) was intact, meaning that the digital signature itself was compromised. (Read more)

2020 United States

U.S. Government program for low-income Americans

The Unimax (UMX) U686CL was given to Americans with low-incomes as part of a government program, but the phones had pre-installed apps that were malicious. One of the apps was a variant of the Adups malware, which is made by a Chinese company known for gathering user data. Assurance Wireless sold the phones to the US Government. (Read more)

2020 Global

NetBeans Projects

The attackers, a group known as Octopus Scanner, made GitHub repositories actively serve malware, which was designed to insert a malicious backdoor into NetBeans projects. By using the backdoor, attackers were able to see the details of affected NetBeans projects. (Read more)

2020 Mongolia

Able Desktop

Able Desktop is a chat software that is very popular in Mongolia, and it is used by many government agencies in the country. Two different trojanized installers and a compromised system update were used for the attack. Malware that was deployed into the software included HyperBro, Korplug and Tmanager. (Read more)

2020 Global

Aisino

Tax software from China-based Aisino was used as a backdoor to gain access to the networks of foreign firms doing business with a Chinese bank. The malware used, dubbed “GoldenSpy,” targeted specific western-based companies who use the Aisino software. Essentially, the bank compelled clients to install tax software containing a hidden backdoor, which would cause them to have malware downloaded. Aisino knew about the GoldenSpy malware but it’s unclear if it was responsible for it. (Read more)

2020 South Korea

WIZVERA VeraPort

South Korean users of a trusted download verification tool were targeted, prompting a browser plugin to install malware with stolen authentic digital certificates. They entered through the compromised website, impacting computer utility, in order to target financial and government websites. (Read more)

2020 United States

SolarWinds

Attackers believed to be working for the government of Russia compromised the software build system for SolarWinds Orion Network Management System software and distributed malicious code in the form of a SolarWinds Orion software update to around 18,000 customers. (Read more)

2020 Vietnam

Vietnam VCGA (SignSight)

Attackers compromised the Vietnam Government Certification Authority (VCGA) website, impacting the overall infrastructure of the software. Attackers added a backdoor component to the installers for legitimate software, making it hard to detect. Because the digital signature toolkit was affected, it allowed government and commercial entities to be targeted, since private and public entities alike rely on the toolkit to sign digital documents. 
(Read more)

2020 United States

Twilio

Attackers exploited a misconfigured Amazon S3 bucket used to serve Twilio’s TaskRouter JS SDK, inserting a malicious version that was served to customers for around 8 hours. The malicious SDK was used to inject code that made the user’s browser load an extraneous URL that has been associated with the Magecart group of attacks, the company said. (Read more)

2021 United Kingdom

Mimecast

A Mimecast-issued certificate used to authenticate some of the company’s products to Microsoft 365 Exchange Web Services was compromised by a threat actor. This allowed a threat actor to take over a connection and steal customers' information found in the Microsoft 365 Exchange Web Servers. (Read more)

2021 Global

Stock investment platform

The North Korean APT group known as Thallium produced a Windows executable using Nullsoft Scriptable Install System (NSIS) that contained malicious code in addition to the legitimate files from a legitimate stock investment application program. Within the legitimate installer of the stock investment platform, attackers injected specific commands that fetched a malicious XSL script from a rogue FTP server, and executed it on Windows systems via the in-built wmic.exe utility. (Read more)

2021 Hong Kong

BigNox

ESET researchers discovered a compromise of the update mechanism of NoxPlayer, an Android emulator for PCs and Macs produced by the Hong Kong based firm BigNox. According to ESET, three different malware families were observed being distributed via tailored updates to targeted victims. Espionage rather than financial gain appeared to be the motive. (Read more)

2021 Global

Various

“A researcher (Alex Birsan) managed to breach over 35 major companies' internal systems, including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber, in a novel dependency confusion supply chain attack.” The researcher uploaded malicious npm modules with names identical to known, non-public modules to public, open source repositories. Configuration errors in npm then caused the malicious public modules to be downloaded to the various companies' software applications. (Read more)

2021 Mongolia

MonPass

The certificate authority MonPass was compromised with backdoors and webshells placed on a public server hosted by the company. As part of the attack, Cobalt Strike binaries were bundled with the company’s official software client. (Read more)

2021 United States

Xcode

Xcode is a free application development environment created by Apple that allows developers to create apps for any iOS device. XcodeSpy is the malicious project targeting these iOS developers by installing a backdoor on the developer’s computer. (Read more)

2021 Australia

Click Studios (Passwordstate)

Passwordstate is a password manager that was hit with an attack that aimed to steal the password information of all its users. The company has close to 30K customers in the U.S. and Australia. The attackers compromised the website’s software update feature to deliver a malicious update to any customer that updated the system within a specific timeframe. (Read more)

2021 United States

CodeCov

Attackers compromised Bash Uploader, a software development tool and used it to gain restricted access to hundreds of networks belonging to the San Francisco firm's customers. (Read more)

2021 Global

Ledger (Nano X Wallet)

Attackers tampered with the software of the wallet prior to the user accessing it. This breach could allow malicious actors to take control of computer systems connected to one of these wallets. Attackers reflashed the product with malicious firmware that can comprise the user’s host computer. (Read more)

2021 Myanmar

Myanmar Presidential Website

A threat actor injected malware inside a localized Myanmar font package available for download on the website’s front page.
(Read more)

2021 United States

SYNNEX

SYNNEX, a technology distributor, had its systems and Microsoft accounts attacked, which caused the Republican National Committee (one of its clients) to have a security incident. APT29 (also known as Cozy Bear) are the suspected attackers. (Read more)

2021 Global

SushiSwap’s MISO cryptocurrency platform

“SushiSwap's MISO cryptocurrency platform suffered a $3 million theft resulting from a software supply-chain attack. Just one malicious code commit made to Sushi’s private GitHub repository was enough to alter the company’s auction portal, and replace the authentic wallet address with the attacker's.” (Read more)

2021 Global

npm 'coa' and 'rc' packages

The incident involved an npm account takeover causing the ‘coa’ and ‘rc’ packages to become hijacked in an effort to spread malware. These packages have been used by tech giants like Microsoft and Meta. (Read more)

2022 Global

Several well-known OSS projects

In an act of protest against corporations exploiting open source projects, Npm libraries “colors” and “faker” were sabotaged by their maintainer, Marak Squires. Some of the OSS projects impacted include Amazon’s cloud development kit, Facebook’s Jest, Javascript, and Node.js.
(Read more)

Did we miss something? Let us know

If you notice that we have omitted a supply chain attack from our partial history, please let us know and, if possible, send corroborating evidence (links to public records, press coverage, social media posts, etc.) that we can use to verify your claim. We would be happy to update our list as new information becomes available.

Sources:

https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf
https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
https://www.washingtonpost.com/graphics/2020/world/national-security/cia-crypto-encryption-machines-espionage/
https://unredacted.com/2013/04/26/agent-farewell-and-the-siberian-pipeline-explosion/ https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html https://www.cybereason.com/blog/deja-vu-what-do-notpetya-and-solarwinds-have-in-common https://apnews.com/article/8b02768224de485eb4e7b33ae55b02f2
https://apnews.com/article/ap-top-news-theft-indictments-china-hacking-05aa58325be0a85d44c637bd891e668f
https://securelist.com/operation-applejeus/87553/
https://www.kaspersky.com/blog/copay-supply-chain-attack/24786/
https://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm
https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/
https://www.darkreading.com/threat-intelligence/chinese-malware-found-preinstalled-on-us-government-funded-phones
https://duo.com/decipher/malware-infects-netbeans-projects-in-software-supply-chain-attack https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/ https://www.darkreading.com/attacks-breaches/chinese-software-company-aisino-uninstalls-goldenspy-malware
https://securityboulevard.com/2021/10/solarwinds-accellion-breaches-supply-chain-attacks-wreaking-havoc/
https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/ https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/ https://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/
https://www.twilio.com/blog/avoiding-dependency-confusion-attacks https://www.helpnetsecurity.com/2020/07/23/twilio-malicious-sdk/
https://threatpost.com/mimecast-certificate-microsoft-supply-chain-attack/162965/ https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/
https://www.bankinfosecurity.asia/mongolian-certification-authority-monpass-breached-a-16990 https://thehackernews.com/2021/02/russian-hackers-targeted-ukraine.html https://www.bleepingcomputer.com/news/security/new-xcodespy-malware-targets-ios-devs-in-supply-chain-attack/
https://www.cpomagazine.com/cyber-security/aviation-it-giant-sita-breached-in-extensive-supply-chain-attack-frequent-flier-programs-of-major-airlines-compromised/
https://securityboulevard.com/2021/03/verkada-surveillance-hack-breach-highlights-iot-risks/
https://techcrunch.com/2021/08/04/passwordstate-supply-chain-attack/
https://www.reuters.com/technology/codecov-hackers-breached-hundreds-restricted-customer-sites-sources-2021-04-19/
https://www.theregister.com/2021/05/27/fujitsu_projectweb_supply_chain_attack/
https://blog.kraken.com/post/5590/kraken-security-labs-supply-chain-attacks-against-ledger-nano-x/
https://www.cybersecurity-help.cz/blog/2146.html
https://www.zdnet.com/article/updated-kaseya-ransomware-attack-faq-what-we-know-now/
https://www.theregister.com/2021/07/07/synnex_rnc_microsoft_attack/
https://www.sonatype.com/resources/vulnerability-timeline
https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf
https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf
https://www.atlanticcouncil.org/in-depth-research-reports/report/breaking-trust-shades-of-crisis-across-an-insecure-software-supply-chain/
https://blog.sonatype.com/what-constitutes-a-software-supply-chain-attack
https://www.bleepingcomputer.com/news/security/researcher-hacks-over-35-tech-firms-in-novel-supply-chain-attack/
https://www.bleepingcomputer.com/news/security/malicious-rubygems-packages-used-in-cryptocurrency-supply-chain-attack/
https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets
https://blog.sonatype.com/a-new-0-day-log4j-vulnerability-discovered-in-the-wild?hsLang=en-us https://www.bleepingcomputer.com/news/security/fintech-firm-hit-by-log4j-hack-refuses-to-pay-5-million-ransom/
https://blog.sonatype.com/3-million-cryptocurrency-heist-malicious-github-commit?hsLang=en-us
https://arstechnica.com/information-technology/2018/10/two-new-supply-chain-attacks-come-to-light-in-less-than-a-week/
https://www.zdnet.com/article/bankbot-android-malware-sneaks-into-the-google-play-store-for-the-third-time/
https://www.itworldcanada.com/article/canadian-cyber-firm-confirms-it-was-the-victim-described-in-rsa-investigation/390903
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/124/trend-micro-investigates-june-25-cyber-attacks-in-south-korea
https://www.eset.com/int/about/newsroom/press-releases/research/eset-uncovers-operation-nightscout-cyberespionage-supply-chain-attack-on-gamers-in-asia/