Understanding Supply Chain Cyberattacks
A supply chain cyberattack targets third-party vendors within an organization’s supply chain. Historically, these attacks focused on exploiting trust relationships, targeting insecure suppliers to infiltrate their larger partners.
While traditional supply chain attacks remain a concern, a more significant threat today is the software supply chain. Modern development practices rely heavily on off-the-shelf components, including third-party APIs, open-source code, and proprietary software. Any of these can be vulnerable to security threats and attacks.
A software supply chain attack might inject malicious code into an application, compromising all its users. In contrast, a hardware supply chain attack compromises physical components, using them to infiltrate an organization’s systems. Regardless of the method, supply chain attacks can have a devastating impact on a company and its customers.
How Does a Supply Chain Attack Work?
Supply chain attacks exploit the trust relationships between different organizations. All organizations trust other companies when they install and use software on their networks or collaborate as part of vendor or contractor agreements.
Supply chain attacks target the weakest link in the chain of trust. Even if your organization has strong cybersecurity measures, attackers will target a less secure trusted vendor to bypass these defenses. By gaining a foothold in the vendor’s network, an attacker can exploit this trust to access a more secure network.
A common target for supply chain attacks is managed service providers (MSPs). These providers offer networking, maintenance, or other computing services and typically have deep access to their customer’s networks. Attackers can exploit MSPs’ weaker security measures and easily spread to their customer’s networks. By exploiting vulnerabilities in the supply chain, attackers can have a greater impact and gain access to otherwise well-defended networks.
Another method involves compromising the continuous integration and continuous delivery (CI/CD) pipeline. If attackers manage to compromise a key element of the CI/CD pipeline, they can insert malicious code or vulnerabilities directly into a software product. When this trusted product is delivered to customers, they are compromised by the attacker.
Examples of Recent Supply Chain Cyber Attacks
Many large-scale attacks have been launched against organizational supply chains, with only a few reported to the public. Here are some real-world examples:
SolarWinds - Attackers injected a backdoor into a software update of SolarWinds, a popular networking tool used by many high-profile companies and government agencies. The backdoor allowed attackers remote access to thousands of corporate and government servers, leading to many data breaches and security incidents.
Kaseya - Attackers compromised this software solution used by MSPs, infecting it with REvil ransomware, which spread to thousands of customer environments, allowing attackers to extort $70 million from MSPs and their customers.
Atlassian - Security researchers discovered vulnerabilities in Atlassian applications that allowed abuse of single sign-on (SSO) procedures. Attackers could use SSO tokens to access applications and perform actions related to user accounts, affecting thousands of organizations.
Apple and Microsoft - Security researcher Alex Birsan hacked corporate systems managed by Microsoft, Uber, Apple, and Tesla by leveraging a dependency used by these companies. Birsan created harmless, fake versions of this dependency and delivered them to end-users, demonstrating the potential for malicious packages.
Mimecast - Hackers compromised the security certificate that authenticated the Mimecast service on Microsoft 365 Exchange Web Services. Approximately 10% of Mimecast customers had applications that depended on the stolen certificates. Early discovery prevented a larger impact.
Codecov - An attacker infected the Codecov Bash uploader, part of a code coverage testing tool, by injecting malicious code into the script. The attackers eavesdropped on Codecov servers and stole customer data.
British Airways - A data breach occurred after a Magecart supply chain attack disrupted its trading system, leaking sensitive information.
4 Ways to Prevent Supply Chain Attacks
Recognize, Map, and Prioritize the Supply Chain Threat Landscape
- Assess all possible risks by understanding the supply chain and its key components. Inventory suppliers and assess their security posture:
- Group vendors into risk profiles.
- Prioritize each third party by their vulnerability level, access to your data and systems, and impact on your organization.
- Use questionnaires and on-site visits to assess supply chain security.
- Identify the weakest areas and ask vendors to improve their security.
- Assess the safety of hardware and software products.
- Identify processes that pose a threat to sensitive data and determine suitable security measures.
- Visualize risks by drawing a tree of all interactions between your organization and supply chain elements to see the full picture of supply chain risks.
Create a Multifaceted Supply Chain Security Strategy
- Supply chain attacks can have various objectives, including ransom, sabotage, and intellectual property theft. These attacks can take many forms, such as malicious code injections, hijacking software updates, and attacks on IT and operational technologies.
- Coordinate with security and risk management leaders to understand these threats and jointly manage supply chain security risks.
Manage Remote Work Endpoint Risk
- Remote work increases the number of exploitable endpoints. Operations within a supplier’s remote telework environment can introduce more risks, including device loss or theft, unauthorized data downloads, and shadow IT applications.
- Traditional security tools like VPNs and VDI are insufficient. Organizations must monitor how remote employees use their devices to protect the supply chain.
Continuously Monitor Third-Party Risks
- Understand the motivations behind potential attacks and identify the most valuable corporate assets to prioritize defenses.
- Implement measures like threat hunting, centralized log aggregation, and sensor deployment.
- Continuous supply chain protection helps uncover ongoing activities, gain deep visibility, and identify gaps in the organization’s ability to detect these activities. Use a consolidated monitoring capability to provide visibility into threats and identify complex attack chains.