Adversary Village

Cheryl Biswas

Threat Intel Specialist, TD

Cheryl Biswas is a Threat Intelligence Specialist with TD Bank in Toronto, Canada, where she produces and delivers annual cyber threat forecasts, and has experience in security audits and assessments, privacy, disaster recovery and change management. She holds an ITIL certification and a specialized honours degree in Political Science. Cheryl is actively engaged in the security community as a conference speaker and volunteer, mentors those entering the field, and champions women and diversity in cyber security as a founding member of “The Diana Initiative”.

Talk: Signed, Sealed, Delivered: Comparing Chinese APTs behind Software Supply Chain Attacks

State-sponsored threat actors have engaged in software supply chain attacks for longer than most people realize, as governments seek out access to information and potential control. Of Russia, North Korea and Iran, China has been behind the most attacks, targeting the technology sector for economic espionage and intellectual property theft. In their current drive for innovation and cloud migration, organizations increasingly rely on software development and all its dependencies: third-party code, open - libraries andshared repositories. Recent attacks have shown how easy it is to create confusion and send malicious code undetected through automated channels to waiting recipients.

This talk will walk attendees through the stages of past attacks by Chinese APTs - notably APT10, APT17 and APT41- to show how capabilities have evolved and what lessons could be applied to recent attacks, comparing tactics, techniques and procedures.

Topics covered:

What constitutes software supply chain attacks.
The abuse of trust and compromise at the source.
Trust third parties with third parties.
How cloud migration and innovation fuel increased code dependency.
Understanding CI/CD continuous integration and continuous delivery.
The increased use and targeting of online code repositories and automated software distribution.
Where mistakes and misconfigurations occur, creating adversarial opportunity
A brief history of software supply chain attacks on repositories.

Learning from the past

A walk through of several major attack including Operation Aurora, CCleaner, NetSarang.
Contrast these to a walk through of recent attacks including SolarWinds, Dependency Confusion, Codecov and XCodeSpy.

The value of historical context is that it helps illuminate TTPs that should be monitored for and secured against, especially those which aid in deception and evasion.
Recommendations for mitigations and best practices to secure code, dependencies.


Attendees will learn what software supply chain attacks are and why they are increasing
They will understand the opportunity for adversaries because of the vulnerability created by multiple dependencies.
A breakdown of key attacks will be mapped to the Lockheed Martin Kill Chain steps and Mitre ATT&CK.
Attendees will be familiarized with major Chinese APT group TTPs which they can bring back to their organizations to implement in their monitoring.

Recorded Live 📼