America, the "Cyber Victim"?

cry me a fscking river

Last week, Andy Greenberg published this story in WIRED about how Chinese spies hacked US cybersecurity company RSA in 2011 to steal the seeds to RSA SecureID 2FA tokens. WIRED trumpeted the hack as “the first really big supply-chain attack”. Poor defenseless America got hacked by the baddie-baddies! Oh woe is us! Whatever shall we do??

The article contains a number of factual inaccuracies, but more importantly lacks critical context. Yes, RSA got hacked. But it was not a “supply-chain attack” (going for that juicy SEO, aintcha, Gideon?), RSA itself is guilty of engaging in a software supply chain attack at roughly the same period in time, and further there are numerous examples of much worse software supply chain attacks that precede the RSA hack Greenberg write about.

Let’s dig in.

First, what is a software supply chain attack? Well, don’t let me define it for you. Let’s consult this declassified, publicly-available document published by the US intelligence community:

The NotPetya malware attack was the classic example of a software supply chain attack. An attacker, probably Russian intelligence, hacked the software update mechanism of Ukrainian accounting software maker MeDoc, added malicious code to the software update, and when MeDoc pushed accounting software updates to their clients, they all got infected with the NotPetya malware.

The United States itself attacked the Soviet Union with a software supply chain attack in 1982, as WIRED reported in 2004. Soviet spies were stealing US oil pipeline software, so the CIA backdoored the pipeline software, causing a massive pipeline explosion in Siberia, according to Thomas C. Reed, a former secretary of the Air Force and special assistant to President Reagan.

The RSA hack was not a software supply chain attack, it was just a really bad data breach. Cybersecurity wonks like me distinguish between attacking confidentiality (stealing secrets) and attacking integrity (sabotage). This turns out to be a really important distinction. The NotPetya attack violated integrity of the software supply chain. The RSA hack was “merely” a violation of confidentiality.

Just because “software supply chain” has great SEO doesn’t mean you get to use it to mean “extra special really bad hack.” Sorry, WIRED, that’s just bad journalism.

Further, Greenberg reports that:

“This past December, when it became public that the company SolarWinds was hacked by Russian spies, the world woke up to the notion of a “supply chain attack”.

Well, the world hardly “woke up to it”. This shiznit’s been going on for a while. As the Snowden documents make clear, a year before the RSA hack, GCHQ and NSA engaged in an attack almost identical to the RSA hack—together they hacked Gemalto, the world’s largest SIM card manufacturer. “With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments,” The Intercept reported.

So let’s get this straight. China hacks RSA to steal cryptographic keys in 2011, and NSA and GCHQ hack Gemalto to steal cryptographic keys in 2010. Neither was a “software supply chain attack”. Both are bad. Like, duh.

But here’s the real kicker in my view. WIRED frames RSA as a victim. But RSA engaged in a real software supply chain attack against their own customers starting in 2004. You can’t make this up, folks.

RSA accepted a $10 million bribe from the NSA to ship the backdoored DUAL_EC_DRBG to its customers. Per Reuters:

“Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a “back door” in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products.”

This is sabotage. This is what a software supply chain attack looks like, folks. And they did so despite public scepticism that DUAL_EC_DRBG—and published in WIRED!—had been backdoored by the NSA.

So RSA got hacked by China. World’s smallest violin plays.