Software supply chain breach akin to SolarWinds incident, implicates Codecov in cyberattack

A Major Security Breach at Codecov Raises Alarms in the DevOps Community

Software supply chain breach akin to SolarWinds incident, implicates Codecov in cyberattack

In January 2021, Codecov, a globally used code coverage analysis service, suffered a significant security breach. The attack, reminiscent of the nation-state attack against SolarWinds, disrupted the international IT supply chain.

Details of the Security Breach

Codecov's Bash Uploader script was compromised, granting unauthorised access to internal systems. The attackers modified the script during a Months-of-Months Interval, a supply chain attack technique, causing unsuspecting customers to inadvertently transmit confidential information such as credentials, API keys, and other sensitive environment variables to the attackers.

Those Involved

The primary perpetrator of the breach remains unidentified. Investigations by US authorities and Codecov itself have failed to name a specific individual or organisation as the culprit.
The individual or group responsible for exploiting the vulnerability and introducing the malicious script was undoubtedly an external attacker who gained access to Codecov's internal systems.
There are indications that APT29 (alias "Cozy Bear", with suspected ties to the Russian Foreign Intelligence Service SVR) may have shown interest in the attack and potentially used the stolen data. However, there is no definitive evidence that APT29 initiated the original attack – the connections remain hypothetical.
Affected companies include well-known firms like Atlassian, HashiCorp, and others who used the compromised script.

Summary

The Codecov security breach was carried out by an unidentified attacker who gained access to internal systems. There are indications that the data may have been later used by the Russian-linked group APT29 (Cozy Bear), but the perpetrator of the initial hack remains unclear.

The security lapse led to a wide-ranging compromise of developer environments worldwide and underscores the risks of attacks on software supply chains.

Sources: - Official Codecov statement - Reports from US authorities (CISA, FBI) - Analyses from CrowdStrike, Mandiant, and other cybersecurity firms

Please note that the precise details often remain confidential, and new information may emerge over time.

Some Codecov customers are still working to assess the impact of the breach on their systems. The FBI and Cybersecurity & Infrastructure Security Agency did not comment on the existence of a current investigation regarding the Codecov breach. The attack allowed unidentified third parties to exfiltrate customer information stored in Codecov's continuous integration (CI) environments. Sandy Carielli, principal analyst at Forrester Research, considered the potential to use the Codecov incident as a launching pad for attacks against Codecov customers as the foremost concern.