A supply chain attack is an indirect attack that originates from an organization that provides a good or service to the company being attacked. The idea here is that while the primary organization (US Government) will have strict security controls, it is not likely that all of the supplying vendors have the same controls.
We can see that the trust relationship, or relational boundary, between the primary organization and the vendor are what is truly being compromised. When the primary organization develops any outside relationships without requiring the same set of controls that they use internally, they will be susceptible to this type of attack.
The US Government typically relies on practices and control standards that are guided by a series of publications referred to as NIST Special Publications. While there are many different publications, NIST Special Publication 800-53 Rev 4 (Security and Privacy Controls for Federal Information Systems and Organizations) is of particular note concerning the management of internal systems and can be found here: https://nvd.nist.gov/800-53/Rev4/impact/high.
For agencies within the US Government that work with other companies, NIST 800-171 Rev 2 and the burgeoning CMMC (Cybersecurity Maturity Model Certification) provide guidance on how business should be conducted. Of course, just informing you that these standards and certifications exist is not enough to satisfy are need to understand the complexities of what has gone on.
For complexity sake, lets just say a man named Adam runs an organization named ACME. He has to manage all of the computers and he doesn’t have time to do it himself. Instead, he looks to industry leading software to manage his assets last March, and he is happily doing business for the rest of the year.
In December he finds out that the software he was using has been compromised, even though he has the best security around. He doesn’t have log retention for the last nine months because there were no indicators that he was compromised. Now Adam has to assume that everything in his company could have been compromised, and this incident now costs Acme more money than would have been saved by the management software.
That is what we are looking at here. And if you take this example, and then you apply it to every possible customer using the Solar Winds (orion.dll file) you will find that the problem is systemic and has grown out of control.
The interesting part about all of this, is that the threat actor for the attack is supposed to be an APT (Advanced Persistent Threat.) When you look at the big picture, it seems that an APT would have patched all systems after obtaining access in order to prevent other APT’s from conducting similar attacks. Being discovered this late into a hack may be an indicator of greed or laziness for the attackers.