Hackers have learned to compromise software supply chains.
An insidious attack trend has been catching my eye lately. It’s called the software supply chain attack.
The scheme goes like this: Hackers compromise a trusted software vendor, subvert its products with their own malicious versions, and then use the tainted formulation to infect customers — thereby bypassing internal security controls and easily spreading malware far and wide. Customers, careful to keep their software up to date, don’t think twice about downloading the latest iterations. That’s good digital hygiene, after all.
At least that’s what we’ve been trained to think. Cisco researchers exposed one of these sneaky incursions earlier this week. The hacking operation sabotaged CCleaner, a popular piece of computer cleaning software distributed by Avast, a Czech antivirus firm. (Morphisec, an Israeli cybersecurity startup, had discovered the compromise too.)
Here’s what happened: In August, some unknown hacking group inserted a backdoor into the CCleaner software, which was then dutifully installed on more than 700,000 machines. With that foothold, the attackers then attempted to drill down deeper into the networks of at least 18 big tech company targets, including Google, Intel, Microsoft, Samsung, HTC, and Cisco. Presumably, the intruders sought trade secrets.
This article first appeared in the Cyber Saturday edition of Data Sheet, Fortune’s daily newsletter on the top tech news. Sign up here.
This is only the most recent example of such an attack. Earlier this year hackers compromised MeDoc, a piece of accounting software developed by a Ukrainian tech firm, in order to spread a destructive strain of ransomware, dubbed NotPetya, through its update mechanism. The attack crippled operations at big companies, ranging from Danish shipping giant Maersk to U.S. pharma company Merck. Similarly, Kaspersky Labs, the lately besieged Russian cybersecurity firm, found a backdoor in server management software from the U.S. and South Korean tech firm NetSarang that infected hundreds of banks and other companies over the summer.
These supply chain attacks fly in the face of commonly accepted principles of computer security—i.e., patch your systems early and often—and they undermine everyone’s trust in the software ecosystem. As the Cisco researchers note in their analysis, a product from an established vendor “rarely receives the same level of scrutiny” as one from an untrusted source. And as they warn in a follow-up post, these types of attacks now “seem to be increasing in velocity and complexity.”
The proliferation is cause for alarm. It’s hard to see how the situation will improve until everyone — even small-fry software vendors — takes responsibility and ups their digital defenses.