Supply chain attack: What is it and how does it work?

A supply chain attack is a cyberattack that targets organizations by hitting the weaker links in their supply chain — third-party vendors or suppliers that provide software, hardware, or services. By infecting a supplier’s software or hardware, hackers gain unauthorized access to the supply chain and distribute malware throughout the network, which causes severe data breaches. Supply chain attacks can be difficult to detect and mitigate because the compromised components may have already been widely distributed throughout the chain by the time the attack is discovered.

A supply chain is a system of individuals, organizations, resources, and processes involved in the production, distribution, and sale of products. It includes all the steps involved in getting the product or service to the end user: transportation of materials from supplier to manufacturer, production, and delivery of the final product to retail centers and customers. And any link in this chain can be hit by a supply chain attack. But how exactly do these attacks work?

Supply chain attacks are committed in different ways, depending on the attacker’s objectives and the vulnerabilities they exploit. This is how cybercriminals carry out supply chain attacks:

• Compromise software. Malicious code can be designed to steal data, disrupt operations, or take control of systems. When customers install or use the compromised products, the malware spreads, affecting the processes or systems or stealing data. These attacks are highly sophisticated and organized because the code needs to be injected into a guarded system and hidden behind legitimate processes.
• Tamper with physical components. Malicious actors may physically tamper with legitimate hardware components, even USB drives, phones, tablets, and keyboards, by replacing them with malicious ones or modifying them. They may install chips on network devices to send data out of the network, which may result in long-term data breach and spying. However, these types of attacks are rare due to how difficult they are to accomplish, and they usually require a human being on the inside to be performed successfully.
• Compromise firmware. This involves inserting malicious code into a computer’s booting code. Once the computer boots up, the malware spreads and corrupts the whole system. Firmware supply chain attacks are quick, barely detectable if you’re not looking for them, and incredibly damaging.
• Use social engineering techniques. Hackers may carry out phishing attacks to trick employees into disclosing confidential information, such as login credentials or sensitive data about the company or its clients. They may use ransomware, scareware, or baiting techniques to elicit sensitive information. They may also impersonate a legitimate supplier or vendor to gain trust of the targeted organization and get access to their customers’ networks.
• Compromise third parties. Cybercriminals may target a supplier or vendor’s third-party service providers, for example, the providers of hosting or cloud services, or payment processors, which have access to their customers’ data or systems. By compromising these providers, criminals can gain access to their customers’ networks.
• Disrupt the supply chain. Attackers may disrupt the supply chain process itself by causing delays, errors, or inconsistencies in the manufacturing, transportation, or delivery processes. This often leads to quality issues, financial losses, and customer dissatisfaction.

Supply chain attacks pose a huge risk to all entities that share data with their vendor network and use third-party software products and services. If cybercriminals manage to compromise a link in the supply chain, the effects of the breach reverberate throughout the whole network, affecting everyone involved, including end users. These attacks are attractive to hackers for three main reasons:

• A large number of victims — if the malware spreads throughout the supply chain.
• Specific targeting — of a region, sector, or company.
• Exploitation of verified pathways — they make use of the trusting relationship between vendors and organizations.

Any company in the manufacturing, retail, or financial sector and even government agencies can suffer a supply chain attack if they work with third-party vendors that lack top-notch cybersecurity measures.

Major supply chain attacks have occurred in recent years, with the SITA, SolarWinds, and Passwordstate being prime examples.

In March 2021, it came to light that the air transport data giant SITA was hit by a severe international supply chain attack that breached its US-based servers. This is alarming because SITA is a vendor for over 400 airlines, and its Passenger Service System stores sensitive customer information, including names, addresses, passport data, and contact information.

An investigation revealed that cybercriminals compromised SITA’s frequent flier programs and stole the personal data of over 4.5 million passengers who have registered with the main Indian airlines, Air India, over the past decade. Following the breach, passengers were urged to change their passwords. Several other airlines using SITA’s services were also notified about the breach because potentially they might have been affected as well.

In 2020, SolarWinds, a Texas-based company providing network management software was hacked by a group known as APT29 or Cozy Bear, which is believed to be sponsored by the Russian government.

The hacking group accessed SolarWinds’ production environment and established a backdoor to its infrastructure monitoring and management tool, the Orion Platform. Hackers inserted malicious code into a software update that was then distributed to SolarWinds’ customers. All customers, including several US federal government agencies and thousands of private companies, who ran the malicious code suffered data breaches and other security incidents.

The SolarWinds attack, believed to have started as early as 2019, was highly sophisticated and well-coordinated. The attackers applied a variety of techniques, like disguising their activities as legitimate traffic, using encryption to hide their communications, and deleting log files to cover their tracks. This is potentially one of the most significant cyberattacks in history, with serious consequences for national security and the global economy.

In April 2021, the Passwordstate password managing app by the Australian company Click Studios suffered a significant supply chain attack when hackers compromised its updating functionality by inserting malicious code. The password management solution is used by thousands of companies worldwide.

According to Passwordstate, malicious actors compromised the upgrade directory and installed a dynamic link library (DLL) into an update that allowed them to harvest information, including usernames and passwords, from the users who performed the upgrade of the software until the breach was discovered two days later.

You can take several steps to detect and reduce the security risks associated with your supply chains:

1. Assess your supply chain. This will help understand the risks and security gaps associated with each vendor. Use tools such as vulnerability scanners, penetration testing, and threat intelligence to identify and mitigate risks. Identify the vendors that have access to confidential data and systems, and ensure secured access.
2. Monitor your supply chain. Look out for suspicious or atypical activity. Keep track of changes in vendor ownership, management, or behavior.
3. Use multi-factor authentication (MFA). Implement it for all vendor access to systems and data. Only authorized individuals should be able to gain access to your systems.
4. Conduct security audits. Audit your vendors’ security controls and ensure they have the right security standards and practices in place.
5. Secure your systems. Ensure that your systems and applications are secure and up to date.

By taking these steps, you can significantly reduce the risk or supply chain attacks.

Protecting against supply chain attacks requires a comprehensive and proactive security strategy that includes the following measures:

• Implementing strong cybersecurity measures, practices, and protocols.
• Hiring a security firm or having in-house security teams monitor for security issues.
• Monitoring the supply chain for signs of anomalous activity or security events, using tools such as intrusion detection systems, log management, and automated threat forensics. Training the staff to recognize and report suspicious behavior or phishing attempts.
• Verifying the integrity of software updates and security patches before deploying them.
• Adopting secure coding practices and regularly scanning the code for vulnerabilities to avoid introducing malicious code into the supply chain.

To minimize the risks of working with software vendors and suppliers, organizations should:

• Vet every third-party supplier and vendor for security risks. This includes background checks, security assessments, and audits. Establish clear security requirements and contractual obligations, such as data protection, incident reporting, and compliance with industry standards.
• Implement strong access controls and authentication mechanisms to limit the exposure of sensitive data and systems to authorized users only, including the introduction of multi-factor authentication. NordVPN offers a great solution for business — NordLayer — that seamlessly integrates with all of your platforms and allows employees to securely access your company’s resources.
• Perform regular security audits and assessments.
• Develop a detailed incident response plan that outlines the steps to take in case of a supply chain attack, such as notifying affected parties, containing the breach, and restoring operations. Test and update the plan regularly to ensure it remains effective.
• Maintain awareness of advanced cyber threats and stay up-to-date with security best practices.
• Carry out regular risk assessments regarding their supply chain.

By adopting these measures, organizations can reduce the likelihood and impact of supply chain attacks and improve their overall cybersecurity.