Supply chain attacks

Modern organisations do not work in isolation and increasingly rely on third parties such as partners and suppliers through online applications and services. This web of connections opens them up to attack.

A chain is only as strong as its weakest component: a lesson that criminal hackers have taken onboard in attacking components of networks and the software supply chain to either plant malware, disrupt systems or steal data.

The weakest link

Cybercriminals exploit any trusted relationships to compromise the weakest link in the supply chain, for example, a supplier with weak access controls without two-factor authentication or a vendor with poor network security controls.

Once an attacker gains access to the supplier’s network they work their way up the supply chain to target their partners or clients, a process that can take weeks or months as attackers seek to gain ever greater privileges and access to more sensitive systems. After gaining entry to the target network the attacker can install back doors or plant malware.

Notable supply chain attacks

This is not a new phenomenon, albeit one that is getting more severe over time. Examples of notable supply chain security breaches are numerous and growing:

1) SolarWinds hack (2020): The SolarWinds breach involved the compromise of SolarWinds’ software supply chain. Cybercriminals infiltrated SolarWinds’ software development systems and injected malicious code into a software update for its Orion IT performance monitoring software. Orion’s enterprise customers – including US government agencies and major corporations – were left with a backdoor on their systems, leaving them vulnerable to secondary payloads. Only a small percentage of an estimated 18,000 victims were targeted. The attack relied on Superuser access to SAML token-signing certificates to create forged access credentials. Russian’s foreign intelligence (SVR) is the prime suspect in the attack.

2) NotPetya ransomware attack (2017): Attackers compromised the patching mechanism of Ukrainian accounting software M.E.Doc to push tainted software updates containing a strain of ransomware that wiped infected systems once it was applied. The malware – which relied in part on the leaked EternalBlue exploit to spread – wiped the Master Boot Record of infected Windows systems. Although targeted at Ukraine’s financial and energy sector, the malware wreaked havoc on the systems of multinationals that operated in Ukraine. Its victims included shipping giant Maersk and FedEx. Western intel agencies have blamed Russian military intelligence (GRU) for the attack, which cost an estimated $10 billion in damages worldwide.

3) Target data breach (2013): Cybercriminals gained access to Target’s network through a third-party HVAC (heating, ventilation, and air conditioning) contractor. Cybercriminals were able to hack into Target’s network after stealing network credentials from Fazio Mechanical Services, the US retail giant’s HVAC supplier. These stolen credentials were used to infiltrate Target’s network, plant malware on Point of Sale devices, and ultimately steal credit and debit card information from millions of customers.

4) Equifax (2017): Equifax suffered a data breach that exposed the personal information of millions of customers. The attackers gained access to Equifax’s systems in May 2017 through an unpatched vulnerability in Apache Struts (CVE-2017-5638 – released as a critical patch two months prior to the hack). Cybercriminals broke into the credit reference agencies database through its vulnerable dispute resolution portal before siphoning off millions of credit records of US and UK residents, US driving licence particular of an estimated 10 million and the credit card numbers of 209,000 US consumers.

In 2020, US prosecutors charged four named members of Chinese People’s Liberation Army over the hack. China denied involvement and no arrests have ever been made.

5) Kaseya (2021): A vulnerability in Kaseya’s Virtual Systems Administrator (VSA) software was exploited to run an attack against multiple (managed service providers) MSPs and their customers in July 2021.

VSA server is a remote monitoring and management tool typically used to manage large fleets of computers.

The exploitation of an authentication bypass vulnerability in the on-premise Kaseya VSA server by the REvil ransomware group caused disruption in hundreds of companies. Kaseya, which denied it paid a ransom to cybercriminals, was able to obtain a decryption tool from an unnamed third party.

6) DDoS Attack on Dyn (2016): Dyn, a major provider of Domain Name System (DNS) services, experienced a distributed denial of service (DDoS) attack that disrupted access to popular websites including Twitter, Netflix, and Amazon.com. The attack harnessed vulnerable IoT (Internet of Things) devices, such as webcams and DVRs, which were infected with the Mirai malware and used to launch a massive botnet-powered attack against Dyn’s infrastructure.

7) British Airways (2018): British Airways (BA) was targeted by a Magecart-style supply chain attack that exposed 380,000 payments and the personal data of approximately 500,000 customers and ultimately resulted in the ICO handing out a €20 million fine for violating GDPR (the EU data protection regulation).

Magecart is an umbrella term for several cybercrime groups that steal payment data using digital skimming techniques. Many e-commerce websites use third-party apps – payment iFrames, analytics and chatbots – in their payment pages. Attackers exploit any vulnerabilities in this client-side code to inject malicious JavaScript capable of surreptitiously stealing data submitted through payment forms and uploading it to a hacker-controlled website.

BA is only the most high profile of scores of victims from Magecart-style attacks.

These examples show that supply chain attacks can have various objectives, including but not limited to mischief-making, cybercrime, cyber-espionage, sabotage, and intellectual property theft.

Less skilled attackers are, in many cases, taking on the tactics pioneered by nation-state-backed attackers, according to threat intel researchers.

Lotem Finkelstein, director of threat intelligence & research at Check Point Software said: “Threat actors are continuously developing their attack techniques, which increasingly rely less on the use of custom malware and shift instead to utilising non-signature tools. They use built-in operating system capabilities which are already installed on the target’s machine and exploit popular IT management tools that are less likely to raise suspicion when detected. Commercial off-the-shelf pen testing and red team tools are often used as well.

“Although this is not a new phenomenon, what was once rare and exclusive to sophisticated actors has now become a widespread technique adopted by all threat actors.”

While the risk of cyber attacks on your supply chain cannot be eliminated, organisations can significantly mitigate the risk of a supply chain attack by educating their suppliers and conducting stringent and frequent audits. Part of that process can involve drawing up a software bill of materials. We also have some advice on the first steps of onboarding, such as cyber security questions to ask your third-party suppliers.

Talk to us about supply chain security

To learn more, download your free

Guide to Supply Chain Security

If you need support and direction in managing your third-party supply chain,  call us for a no-obligation chat. 

We can provide several different solutions that can be tailored to your business to support the management of your supply chain security.

Part of our supply chain managed service includes the use of our web application SupplyIQ, which we use to gather information from our client’s suppliers to identify risks and advise the best way forward. Some clients then ask us to work with their third-party suppliers, to advise them on steps required to reduce risks and to monitor their progress.