On Dec. 13 last year, cybersecurity company FireEye broke news of the most widespread hacking attack on US government agencies in the country’s history. Government departments affected by the attack, which exploited a vulnerability in proprietary network management software made by the Texas-based software provider SolarWinds, included the US departments of energy, treasury, homeland security, justice and defense.
The SolarWinds incident highlights the severe impact that “software supply chain” attacks can have. Hackers first analyze the software used by the target organization, then identify downstream suppliers to these software products with relatively weak data security practices and infect their software update infrastructure with malicious code. Once the organization updates the software, the malicious code is downloaded onto its systems.
Taiwan is no stranger to software supply chain hacking attacks. From June to November 2018, a software update server operated by Asustek Computer fell victim to a hacker who used a hidden malicious code to infect a new version of software distributed to tens of thousands of Asus laptops, even though the software update carried a valid digital signature.
After receiving information from the Criminal Investigation Bureau, the National Communications Commission on Jan. 6 ordered Taiwan Mobile to recall all 94,000 units of its self-branded, China-made Amazing A32 smartphones after their built-in software was found to contain a malicious program.
An investigation by the bureau found that a malicious program had been embedded into the smartphones’ firmware memory prior to leaving the factory. This means that even if a user restarts or resets their phone, the malicious program would not be removed.
After issuing a recall, Taiwan Mobile carried out an audit of all of its Amazing brand smartphones, and established that only the Amazing A32 is subcontracted to a Chinese manufacturer and the other models do not have the same data security flaw.
Analyses of past instances of software supply chain hacking attacks show that they can basically be classified into four types of attacks.
The first is where the supplier company is itself the attacker.
For example, a bad actor could spend US$100 million to purchase a software company that has tens of thousands of enterprise clients, then use the company’s software product(s) to deliver Trojan horse malicious code. This is a much cheaper and more effective way to infect machines than going to the trouble of developing an online attack that has to infect each target organization one by one.
The second is to hack the software supply company and bury malicious code within its software. This is how the SolarWinds attack was carried out.
The third is when a software supplier uses third-party software in their product that contains malicious code, such as open source software.
The fourth involves a software supplier using third-party software that contains flawed code that can be exploited by hackers. Since contemporary software design makes use of a large number of open source software packages, malicious actors have a relatively large number of opportunities to embed malicious code within frequently used software programs.
The Clean Network program, proposed by the US Department of State in April last year, asks participating telecoms not to use electronic equipment that contains China-made software, such as Huawei Technologies products. This type of policy is designed to pre-empt and prevent the first category of supply chain attack.
In addition to strengthening its own data security protections, Taiwan Semiconductor Manufacturing Co is asking its suppliers to establish basic data security standards, and incorporate these into their routine inspections and audits.
The idea is that if each manufacturer within the industrial ecosystem establishes appropriate data security self-defense, this should help to prevent the second class of supply chain attack.
To resist the third and fourth types of attack requires the manufacturer of each piece of software-containing equipment and device to establish a software bill of materials (SBOM). An SBOM should clearly list all of the open source software packages used within its software, known flaws within each of the packages, the main developer of the software, and the company or organization to which they are affiliated.
Since many of Taiwan’s computer and network communications equipment firms will be expected to provide an SBOM in the future, establishing a database of open source software that conforms to traceability requirements and can continuously track software updates, which can be shared by manufacturers, would greatly reduce the cost of compiling SBOMs for Taiwan’s domestic industries.
Additionally, to more effectively deal with the last two types of supply chain attacks, it would be necessary to develop software analysis tools that can scan the source code of open source software and identify potential malicious software and other vulnerabilities. Unfortunately, such tools are not yet fully mature, and require further research and development.
Chiueh Tzi-cker is general director of Information and Communication Labs at the Industrial Technology Research Institute.
Translated by Edward Jones
Taiwan stands at the epicenter of a seismic shift that will determine the Indo-Pacific’s future security architecture. Whether deterrence prevails or collapses will reverberate far beyond the Taiwan Strait, fundamentally reshaping global power dynamics. The stakes could not be higher. Today, Taipei confronts an unprecedented convergence of threats from an increasingly muscular China that has intensified its multidimensional pressure campaign. Beijing’s strategy is comprehensive: military intimidation, diplomatic isolation, economic coercion, and sophisticated influence operations designed to fracture Taiwan’s democratic society from within. This challenge is magnified by Taiwan’s internal political divisions, which extend to fundamental questions about the island’s identity and future
The narrative surrounding Indian Prime Minister Narendra Modi’s attendance at last week’s Shanghai Cooperation Organization (SCO) summit — where he held hands with Russian President Vladimir Putin and chatted amiably with Chinese President Xi Jinping (習近平) — was widely framed as a signal of Modi distancing himself from the US and edging closer to regional autocrats. It was depicted as Modi reacting to the levying of high US tariffs, burying the hatchet over border disputes with China, and heralding less engagement with the Quadrilateral Security dialogue (Quad) composed of the US, India, Japan and Australia. With Modi in China for the
The Jamestown Foundation last week published an article exposing Beijing’s oil rigs and other potential dual-use platforms in waters near Pratas Island (Dongsha Island, 東沙島). China’s activities there resembled what they did in the East China Sea, inside the exclusive economic zones of Japan and South Korea, as well as with other South China Sea claimants. However, the most surprising element of the report was that the authors’ government contacts and Jamestown’s own evinced little awareness of China’s activities. That Beijing’s testing of Taiwanese (and its allies) situational awareness seemingly went unnoticed strongly suggests the need for more intelligence. Taiwan’s naval
The Chinese Nationalist Party (KMT) has postponed its chairperson candidate registration for two weeks, and so far, nine people have announced their intention to run for chairperson, the most on record, with more expected to announce their campaign in the final days. On the evening of Aug. 23, shortly after seven KMT lawmakers survived recall votes, KMT Chairman Eric Chu (朱立倫) announced he would step down and urged Taichung Mayor Lu Shiow-yen (盧秀燕) to step in and lead the party back to power. Lu immediately ruled herself out the following day, leaving the subject in question. In the days that followed, several
RSS