By John P. Desmond, AI Trends Editor
The digital supply chain has been disrupted over the past year not only for COVID-19-related reasons, but also from cyberattacks involving ransomware, causing security professionals to explore the potential for AI and machine learning to further automate monitoring of the risk.
The Kaseya ransomware attack in July, called a software supply chain security breach by some observers, was similar to the SolarWinds attack in the spring of 2020, in that malicious software was delivered to customers via an automatic software update.
But the Kaseya attack was different in that the perpetrators made a specific ransomware demand, first for $45,000 from each company affected, then for $70 million to unlock all the affected systems. The SolarWind hackers gained access to the affected systems, where they were able to roam for months, with unknown intentions.
Kaseya is a managed service provider, whose customers use it to help manage their IT infrastructure. Kaseya can deploy software to its systems under management, in a way roughly equivalent to software suppliers issuing automatic updates.
A criminal gang named REvil reportedly based in Russia hacked into the Kaseya system and pushed the REvil software to all the systems under its management, according to a recent account in Lawfare entitled, “Why the Kaseya Ransomware Attack is a Really Big Deal.”
The standard response procedure following deployment of malware in a zero-day exploit—in which the attacking malware has never before been seen—has been that security professionals, often from the affected software supplier, produce a patch, usually within a few days. That patch is then installed to remediate the threat.
The Kaseya attack requires a different type of response. “Malware deployed automatically via the supply chain upends all of these dynamics pathologically,” stated Matt Tait, author of the Lawfare account, and the current chief operating officer of Corellium. Tait has worked at Google on Project Zero, to find zero-day vulnerabilities, and at the British spy agency GCHQ. Corellium offers products to help developers work with Advanced RISC Machine (ARM) processors, used in smartphones and many other consumer electronic devices.
“A malware operator with access to an automatic software delivery infrastructure has no incentive to keep the infections small,” Tait stated. Instead, rather than infecting a few targets at the top of its priority list, the digital software supply chain hacker can hit all the affected customers nearly simultaneously.
Moreover, “Vendors can’t respond in the normal way to supply chain malware either,” Tait states, because the malware came from their own software delivery system. To remediate, they need to disable the infrastructure to prevent further misuse, and then work on securing their own systems. “Patches are the wrong tool for remediation” in this case, Tait suggests, since, “Patches help defend systems that might be vulnerable to malware, but here customers are already infected with the malware. By the time the breach is discovered, it’s already too late to fix via a patch.”
Working toward solutions will be challenging. “Tackling this problem is no small task; it will need a great deal of resources and creativity across many different domains, from the technical community through to the foreign policy community,” stated Tait.
Investors Back Interos with Another $100M to Help Manage Supply Chain Risk
The investment community is taking notice, with its recent $100 million investment in Interos, a company offering supply chain risk management software incorporating AI and machine learning.
“COVID-19 and other macro and digital supply chain disruptions over the past year have caused boards of directors and other leaders to awaken to the tremendous impact supply chain disruptions can have on operational resilience, business performance and reputation,” stated Jennifer Bisceglie, CEO of Interos, in a press release. “Manual and annual supply chain risk monitoring is urgently moving to automated and continuous, and that can only be accomplished through AI/ML-based technology. This funding will allow us to accelerate our mission of helping organizations fix supply chain issues before they cause operational disruption.”
Interos aims to have its software serve as an early warning system to identify developing disruptions and supplier problems in real time. Founded in 2005, Interos has software in use by Fortune 500 brands, the US Department of Defense and NASA. The tools enable customers to map their global supply chains in multiple tiers and then continually monitor their suppliers.
The Interos platform monitors for both physical and digital supply chain issues across dozens of risk categories, including financial, operational, governance, geographic, and cyber factors. The platform also monitors environmental, social, and governance (ESG)-related risk factors, such as unethical labor practices and greenhouse gas emissions.
The approach seems appropriate given the widespread impact of the Kaseya attack, which resulted in the shutdown of 800 supermarket locations that could not operate their checkout software, interrupted Swedish rail service, and disrupted the operations of a Swedish pharmacy chain, according to an account on the Interos blog.
McKinsey Sees AI As Needed to Help Manage Supply Chain
That AI is a fit for managing more complex supply chains is also asserted in a recent report from McKinsey entitled, “Succeeding in the AI Supply Chain Revolution,” which describes longer and more interlinked physical flows, market volatility exacerbated by the COVID-19 pandemic and a focus on more supply chain resilience.
“Supply-chain management solutions based on artificial intelligence (AI) are expected to be potent instruments to help organizations tackle these challenges,” state the authors, led by Knut Alicke, a partner in McKinsey’s office in Stuttgart, Germany. “AI’s ability to analyze huge volumes of data, understand relationships, provide visibility into operations, and support better decision making makes AI a potential game changer,” he stated.
Read the source articles and information in Lawfare, in a press release from Interos, from an account on the Interos blog and in the McKinsey report entitled, “Succeeding in the AI Supply Chain Revolution,”