Finding a poisonous seed

Supply chain attacks have become a trend in the past few years. A number of major cyber attacks were delivered through attacking software supply chain. One example of this is the CCleaner incident in which the infection of a few software developer machines resulted in massive infection of end user systems; another more recent example is ShadowHammer story in which the customers of popular ASUS Live Update Utility were served backdoored packages which the attackers managed to get digitally-signed by legitimate ASUS signatures.

This research is dedicated to the investigation of the cyber attacks targeting software supply chain through the infection of the compilers and IDEs used by software developers. Compilers and development platforms are at the core of the software supply chain. An infected compiler that finds its way onto different software developers’ systems, can result in thousands of trojanized software applications. Each of which has potential of being downloaded and installed on a massive number of end user consumer or enterprise systems. The infamous XcodeGhost IDE, an infected version of Apple’s Xcode development environment was an in-the-wild example of such a case. According to the statistics, the number of infected applications compiled by XcodeGhost were in the order of thousands.

Investigating and protecting against these kinds of attacks should always be of utmost importance to security researchers, as this may undermine the trust in the integrity of supply chains and poison the business perspectives of the well-respected software development companies and startups. The victims of such attacks may appear to be selected developers but what is more alarming is that it may also be all the members of the entire software supply chain, all the way through to the end users. The deeper this malicious seed is planted the larger grows the tree of victims.