In cybersecurity, supply chain attacks are some of the most dangerous threats out there. That’s not necessarily because they do the most damage — it’s more because they tend to be difficult to guard against by their very nature.
But what is a supply chain attack? And how do you make sure your organization isn’t at risk of falling prey to one? Here, we’ll discuss all these points in detail.
Definition of a Supply Chain Attack
A supply chain attack is a cyberattack that targets a third-party vendor whose software or services make up a key part of an organization’s supply chain. By “supply chain,” we mean the collective sum of the people, software, hardware, resources and other organizations involved in getting a product to market, from the design stage to its delivery.
These attacks work on the principle that a chain is only as strong as its weakest link. Rather than attacking the main organization behind a product, supply chain attacks seek out lesser known, often lesser protected components related to that organization. This gives cyberattackers entry to that main organization through a proverbial “soft underbelly.”
That probably sounds like a very wide-reaching vulnerability for a lot of organizations. Unfortunately, that’s a big factor behind why supply chain attacks are so common and so effective. Because supply chains are long and often difficult to track in nearly every industry, supply chain attacks directly threaten a staggering number of organizations. Anyone that uses a third-party vendor — especially in a digital capacity — is potentially at risk.
How Does a Supply Chain Attack Work?
Broadly speaking, there are two types of supply chain attacks.
Software supply chain attacks are cyberattacks where an attacker injects malware into an application. The attack spreads as more parts of the supply chain use the app in question.
Hardware supply chain attacks are cyberattacks launched from a component installed in a physical device, such as a circuit board in a computer. The attack then spreads as the infected device interacts with other devices on the same network or the internet.
Of these two, a software supply chain attack is far and away the most common. The fact that software attacks can be conducted remotely is one big advantage to hackers, of course, but an even bigger factor is how much more vulnerable software is to a breach.
The reason comes down to how software typically uses repeat code, which opens multiple applications up to attack should any one of those pieces of code be less than secure. Consider that nowadays, the average piece of software is 75% code from open source libraries or other external sources — if any one of those pieces of reused code contains a vulnerability, the entire finished application becomes vulnerable to a supply chain attack.
So how might a software supply chain attack be carried out? There are a few common MOs:
- Dependency confusion: Malicious actors register a piece of software or code commonly used in app design (known as a “dependency”) as an official release with a new version number. Because the software is designed with vulnerabilities, any apps that use it can later be broken into by the hackers.
- Development tool compromises: Hackers break into a software development tool and alter it to introduce vulnerabilities into any software developed in it. Software made using this tool becomes compromised even before its production is finished.
- Stolen certificates: By exploiting weaknesses in cryptographic processes, hackers falsify or steal digital certificates used to verify users for entry into secure websites or networks. From that point of entry they typically either infect the system with malware or add in malicious code under the guise of being official.
These are just a few examples of how entry can happen. But the main distinction is that all of them happen in a less-protected system, then work their way outward to other components in the company network.
Impact of a Supply Chain Attack
The exact damage from a supply chain attack varies, but it will invariably be extensive. Remember that by their nature supply chain attacks grant hackers full access to an organization’s network and resources, so there’s little room for silver linings here.
We’ve been referencing malware frequently in this rundown, and frankly, even on its own this type of malicious software is an enormous threat. Remember that the term “malware” is a wide umbrella for any type of infectious software, including viruses, spyware, botnets, rootkits and ransomware. When an organization suffers a supply chain attack, any one or all of these threats can follow (assuming they weren’t installed right when the attack began).
Confidential information is the cyberattacker’s gold mine. When a supply chain attack succeeds, it typically follows that hackers will steal every bit of personal data they can possibly mine — everything from identification and banking credentials to company secrets. And because these attacks are especially insidious and difficult to detect, they will almost certainly compromise a colossal amount of data.
But just as often, a supply chain attack will cost organizations directly. As said before, these attacks are often the way ransomware worms its way onto company systems, which will cost them directly (and majorly). But beyond that, malware from a supply chain attack can just as easily render hardware or software inoperable, making it impossible to actually conduct business. As any manager can tell you, that disruption costs an organization just as much as a direct fee, thanks to the time spent not generating profits.
Examples of a Supply Chain Attack
It’s easy to see in the abstract that a supply chain attack can have devastating consequences. But we don’t need to limit that thinking to the hypothetical.
For proof, look no further than to a few of the biggest cyberattacks in history.
To this day one of the biggest data leaks in the United States, these hacks devastated Target, one of the country’s largest retail chains. According to a US Senate analysis, the attacks here began in late 2013 through a small HVAC company the chain had partnered with. This third-party vendor had little in the way of cybersecurity standards, and once hackers had broken into it, they were soon able to access the main servers of Target itself.
There, attackers found a treasure trove of confidential data: 70 million customers’ personal information was leaked in the hack, including the credit card and banking numbers for 40 million of those users.
As if the damage to Target’s reputation from the attack wasn’t bad enough, the company also lost $202 million USD from relevant operating expenses (after insurance), then another $153.9 million USD for the combined settlements from various lawsuits.
Although the 2017 NotPetya incident can be categorized as Russian malware, it’s crucial to note that this hack found its foothold in systems through a supply chain attack. This nasty bit of ransomware was able to shut down entire banks and even power plants, but patient zero for this infection was far more humble: MeDoc, a popular Ukrainian accounting program.
By exploiting a backdoor entry in MeDoc, hackers broke into the program and sneaked the NotPetya malware into its latest update. Once that update was rolled out, users across industries were hit, and hit hard. While the attack primarily targeted Ukraine, it also spread around the world and racked up total damages to the tune of $10 billion USD.
Another breach attributed to Russian hackers, the SolarWinds hack in 2020 resulted in a massive cyberattack affecting major entities, including Microsoft, Intel and a wide range of US government offices.
Here again, the attack originated from a third-party vendor — the network monitoring software Orion from the software developer SolarWinds. Hackers created a backdoor within Orion, and from there injected malware into the networks of over 30,000 public and private organizations.
The attack was of course shocking because of how many high-profile entities saw their confidential data compromised. An equally worrying factor was how long it took to actually detect the hack at all: 14 months passed before anyone affected even noticed the breach, again demonstrating how widespread damages from a software supply chain attack can be.
Preventing a Supply Chain Attack
The single most effective safeguard against supply chain attacks is demonstrable trust in your partners’ cybersecurity. That means doing business only with organizations that take online protection seriously — which would rule out, for example, a hypothetical communications vendor that ignores such an attack as a false positive during system inspections.
As far as protecting your own organization goes, the most critical step to take is minimize access to your most confidential data. Allow only a select few authorization to view your stored financial information and personal data, and as much as possible use zero-trust security standards that require users to verify themselves any time sensitive files are approached. On a smaller scale, Two-Factor Authentication and encryption are also highly effective ways to keep out prying eyes and ears.
Because of these major risks and more, Wildix takes security seriously. Our communications platform is built with protections as part of its inherent architecture, resulting in a solution that combines encryption, digital certificate verification and more for a secure-by-design environment that keeps users safe without external SBCs, VPNs or firewalls.
However you enforce your cyber protections, be sure your policy isn’t limited to within your own house. As supply chain attacks show, the fallout from a poorly secured partner can be just as devastating as leaving the doors to your organization wide open.
For more insight on cybersecurity and tech, subscribe to receive our magazine for free!