Supply Chain Attacks: 7 Examples and 4 Defensive Strategies

What is a Supply Chain Cyberattack?

Supply chain attacks are cyber attacks against third-party vendors in an organization’s supply chain. Historically, supply chain attacks were targeted at trust relationships, where insecure suppliers in the chain were attacked to gain access to their larger partners.

While traditional supply chain attacks are still a concern, an even bigger threat facing organizations today is the software supply chain. Software supply chains are highly susceptible to attack, because in modern development organizations, software is not created from scratch, and uses many off-the-shelf components such as third-party APIs, open source code, and proprietary code from software vendors. Any of these could be exposed to security threats and vulnerabilities.

A software supply chain attack might inject malicious code into an application and infect all users of the application, while a hardware supply chain attack compromises physical components and uses them to infiltrate an organization’s systems. Whatever the method, supply chain attacks can have a devastating impact on a company and its customers.

This is part of a series of articles about third-party risk management.

How Does a Supply Chain Attack Work?

Supply chain attacks exploit the trust relationships between different organizations. All organizations have some degree of trust in other companies when they install and use software on their networks, or collaborate as part or vendor or contractor agreements.

Supply chain attacks target the weakest link in the chain of trust. Even if your organization is well-defended and has a strong cybersecurity program, if a trusted vendor is not secure, attackers will target that vendor to bypass whatever security is in place in the primary organization. By gaining a foothold in the provider's network, an attacker can exploit this trust to gain access to a more secure network.

A common supply chain attack surface is managed service providers (MSPs). These could be providers offering networking, maintenance, or other computing services to an organization. An MSP typically gains deep access to its customer’s networks. Attackers can exploit the MSPs weaker security measures and easily spread to their customer's networks. By exploiting vulnerabilities in the supply chain, these attackers can have greater impact and gain access to networks that are otherwise difficult to attack directly.

Another supply chain attack uses automated software development processes, known as the continuous integration and continuous delivery (CI/CD) pipeline. If attackers manage to compromise a key element of the CI/CD pipeline, they can insert malicious code or security vulnerabilities directly into a software product. When this trusted product is delivered to its customers, they are compromised by the attacker.

7 Examples of Recent Supply Chain Cyber Attacks

Many large-scale attacks have been launched against organizational supply chains, and only a few have been reported to the public. In other words, known attacks are only the tip of the iceberg. Here are some real-world attack examples you should be aware of:

1. SolarWinds —Attackers injected a backdoor into a software update of SolarWinds, a popular networking tool used by many high profile companies and government agencies. The backdoor allowed attackers remote access to thousands of corporate and government servers. The global-scale attack led to many data breaches and security incidents.

2. Kaseya — Attackers compromised this software solution used by MSPs, infecting it with REvil ransomware, which was then deployed together with an update of the software. The ransomware spread to thousands of customer environments, allowing attackers to extort $70 million from MSPs and their customers.

3. Atlassian — Security researchers discovered that Atlassian applications were vulnerable to abuse of single sign-on (SSO) procedures. An attacker could use the SSO token to access applications and perform actions related to user accounts. This affected thousands of organizations that rely on Atlassian’s solutions.

4. Apple and Microsoft — Security researcher Alex Birsan was able to hack corporate systems managed by Microsoft, Uber, Apple, and Tesla. He leveraged a dependency used by all these companies to support their end users. Birsan created harmless, fake versions of this dependency and delivered them to end-users, demonstrating an attacker’s ability to do the same with a malicious package.

5. Mimecast — Hackers were able to compromise the security certificate that authenticated the Mimecast service on Microsoft 365 Exchange Web Services. Approximately 10% of Mimecast customers had applications that depended on the stolen certificates. In the end, few were impacted by the attack, but it could have a much bigger impact if not discovered early.

6. Codecov — An attacker infected the Codecov Bash uploader, part of a code coverage testing tool that automatically sends reports to customers. By injecting malicious code into the script, the attackers eavesdropped on Codecov servers and stole customer data.

7. British Airways — A data breach occurred after a Magecart supply chain attack disrupted its trading system and leaked sensitive information.

4 Ways to Prevent Supply Chain Attacks

1. Recognize, Map, and Prioritize the Supply Chain Threat Landscape

The first step in implementing supply chain security is assessing all possible risks. It requires understanding the supply chain and its key components by inventorying suppliers and assessing their security posture. Here is how to conduct this assessment:

• Group vendors into risk profiles

• Prioritize each third party by their vulnerability level, access to your data and systems, and impact on your organization

• Use questionnaires and on-site visits to assess supply chain security

• Identify the weakest areas in the supply chain and supplement these vendors or ask them to improve their security

• Assess the safety of hardware and software products supplied to your organization

• Identify the processes in the supply chain that pose a threat to sensitive data and systems and determine suitable security measures

You can visualize risks by drawing a tree of all interactions between your organization and supply chain elements. This practice can help see the full picture of supply chain risks and track connections.

2. Create a Multifaceted Supply Chain Security Strategy

Supply chain attacks can have various objectives, including ransom, sabotage, and intellectual property theft. These attacks can take many forms, such as malicious code injections into legitimate software, hijacking software updates, and attacks on IT and operational technologies.

Supply chain attacks can exploit vulnerabilities in:

• The physical flow of assets — Including processing, packaging, and distribution processes.

• The virtual flow of data or software — All virtual flows across connected systems and devices.

As cyber attacks increase, supply chain leaders need to coordinate with security and risk management leaders to understand these threats. All leaders should work together to jointly manage supply chain security risks.

3. Manage Remote Work Endpoint Risk

As more people work from home, the number of exploitable endpoints expands. Unfortunately, operations within a supplier’s remote telework environment can introduce more risks. It means the supplier’s users must manage physical and virtual security and protection of endpoints across various locations external to established enterprise monitoring services.

As a result, organizations are exposed to risks caused by the unauthorized behaviors of their supplier’s employees. Common risks include device loss or theft, employees downloading sensitive data without offline protections, or introducing shadow IT applications, keyloggers, files, and various persistent threats.

Traditional security tools, like virtual private networks (VPNs) and virtual desktop infrastructure (VDI), cannot effectively protect organizations and mitigate these threats. These tools rely on end-users to follow security policies before and after they connect to secured networks. Organizations and supply chain leaders must monitor how remote employees use their devices to protect the supply chain.

4. Continuously Monitor Third-Party Risks

Before determining how adversaries might disrupt business operations or manufacturing production, you must consider the motivations behind potential attacks. You must also identify the most valuable corporate assets, such as proprietary information, customer information, and intellectual property, so that an effective program can prioritize what needs to be defended.

Pinpointing attack motivations and sensitive assets can help determine the systems and areas of the supply chain that require protection and how to prioritize cybersecurity investments. You can implement various measures, including threat hunting, centralized log aggregation, and sensor deployment.

Continuous supply chain protection should help uncover evidence of activity already occurring, gain deep visibility, and identify gaps in the organization’s ability to detect these activities. You can achieve this using a consolidated monitoring capability that provides visibility into threats and helps identify complex attack chains.