Supply-chain attacks are very difficult to detect and prevent because malware comes from an outside source considered trustworthy. Contaminating the waterhole, though, is sometimes easier to achieve than going directly after the target, who may have strong defenses in place.
I would change this to say, “Supply-chain attacks are very difficult to detect and prevent because malware comes from an outside source assumed trustworthy, if considered at all.” This is true for most companies.
I appreciate a subtile approach regardless of a malicious actor’s malevolence:
The malicious actor made sure that the compromised version of the software did not spread to entities that were not of interest. For this, they set up the update server to send out the infected files only if their target was located within a specific range of IP addresses.
To avoid detection, the malicious update was signed with a valid certificate stolen from the remote solutions provider. It is unclear when this occurred, but researchers say that on April 8 they found a piece of malware that hid under the same stolen certificate.
With signed malware and access to the update server, all the threat actor had to do was to wait for a client to request a software update.
If the call came from the targeted IP range, the attacker sent the update server the malicious file packaged as “update.zip.” When the update executed, so did the 9002 RAT inside it.
Considering that the update process is likely encrypted by default, catching this early in the kill chain is unlikely.
See Wired’s writeup on NotPetya.