When some Asus laptop users started getting prompts to update their software in June last year, they were stumped that there were no details given for the new features they were about to install.
Instead of details of a patch, the window that usually described the fixes was empty. This was strange, but despite sharing this information on popular forum Reddit, many went on to install the update.
After all, they had checked it out on antivirus sites and validated the update was really from Asus, thanks to its digital certificate. They were duped.
The update was in fact a piece of carefully created malware that leveraged the trust that users had placed with Asus. It opened up back doors to their laptops.
It broke one key element of trust – a signed digital certificate – that had long been taken to be a sure sign of authenticity, thus bringing fresh doubt into whom one can trust online.
More worryingly, the attack signalled a change in tactics from hackers. In this carefully planned attack, they were willing to compromise half a million users through a common patch to target some 600 users, whom they sought out by checking for a unique MAC address, or identifier on each computer’s network card.
Previously, this was thought to be uneconomical. Or, that such an attack might easily arouse suspicion if it affected so many people.
However, the way the malware was delivered this time – through a trusted party – made it stealthier and more dangerous than before.
Thus, in March 2019, when news broke of the cyber attack, codenamed ShadowHammer, many in the industry were taken by surprise.
Kaspersky, the security firm that tracked and exposed the malware, at first said that more than 57,000 of its users had downloaded it. Later, reports would place the number of people affected at more than half a million, as Asus finally put a stop to it.
This is a big concern because such supply chain attacks, which penetrate trusted makers of hardware equipment and software developers, make it hard for users to trust anyone online, said Vitaly Kamluk, Asia-Pacific director for global research and analysis at Kaspersky, who analysed the malware.
Though this is not the first such supply chain attack, he noted, there is a need for manufacturers and developers to ensure they keep their defences up against someone trying to compromise their products at the source.
And the problem is only growing. In a report in February, another cyber security company, Symantec, said that supply chain attacks went up by 78 per cent from 2017 to 2018.
The irony won’t be lost on users who have been told to update their software to ensure that they are less vulnerable to cyber attacks.
Unfortunately, there is little they can do, except to pressurise hardware manufacturers and software developers to do more to protect their development processes.
After all, if a piece of software has malware injected from the start, it will give access to potentially millions of users without them knowing it.
Already, the United States government is going to spend more effort scrutinising how vulnerable the digital supply chain is for devices that are made to handle sensitive data.
But how effective would that be in an interconnected world, where a chip can be designed in the US, made in Taiwan and built into a phone or PC in China?
It is near impossible to lock down everything or build everything yourself, said Chester Wisniewski, principal research scientist at security firm Sophos.
Indeed, the fear now is that countries may try to lock down so much that they only trust certain suppliers from “friendly” countries, he noted.
This homogeneity means that hackers only need to focus on one or two manufacturers instead of several, say, 5G network equipment makers, he told Techgoondu.
If Western countries only buy from Nokia or Ericsson, out of fear of Huawei’s links to the Chinese government, then a hacker only needs to concentrate on finding loopholes in those two manufacturers, he stressed.
The problem of supply chain attacks is only going to be more serious, experts say, with more connected devices now controlled remotely to cut down maintenance costs.
From surveillance cameras to point-of-sale systems at a retail store, they can be taken over by hackers if they manage to deliver a fake update to these devices to open a back door, they add.
Many experts are calling for a policy to trust no one, to have digital credentials checked each time someone tries to access data, but that gets harder with a Trojan horse already inside.
In his briefing to reporters two weeks ago, Kaspersky’s Kamluk said the threat should not be overplayed to cause people to panic, but cautioned that such supply chain attacks are becoming stealthier and hard to keep out.
Even for a high-profile attack like the Asus one, much remains unknown. How did the hackers know the network addresses of the 600 targeted users’ laptops? Did they have physical access to the machines or did they sniff that out through other ways? Still a mystery, said Kamluk.