Supply chain attacks: Cyber criminals are targeting software providers

• Author:
• Author name

  Quantumrun Foresight
• February 9, 2023

Supply chain attacks are a growing concern for businesses and organizations worldwide. These attacks occur when a cybercriminal infiltrates a company’s supply chain and uses it to access the target organization’s systems or data. The consequences of these attacks can be severe, including financial losses, damage to a company’s reputation, compromise of sensitive information, and disruption of operations. 

Supply chain attacks context

A supply chain attack is a cyberattack that targets third-party software, particularly those that manage a target organization’s systems or data. According to the 2021 “Threat Landscape for Supply Chain Attacks” report, 66 percent of supply chain attacks over the past 12 months targeted a supplier’s system code, 20 percent targeted data, and 12 percent targeted internal processes. Malware was the most commonly used method in these attacks, accounting for 62 percent of incidents. However, two-thirds of attacks on customers took advantage of trust in their suppliers.

One example of a supply chain attack is the 2017 attack on the software company, CCleaner. Hackers were able to compromise the company’s software supply chain and distribute malware through the software updates, which affected millions of users. This attack highlighted the potential vulnerabilities of relying on third-party providers and the importance of strong security measures to protect against these attacks.

The increasing reliance on third-party providers and complex digital supply chain networks are the major contributors to the growth of digital supply chain crimes. As businesses outsource more of their operations and services, the number of potential entry points for attackers increases. This trend is particularly concerning when it comes to small or less secure suppliers, as they may not have the same level of security measures in place as the larger organization. Another factor is the use of outdated or unpatched software and systems. Cybercriminals often exploit known vulnerabilities in software or systems to gain access to a company’s digital supply chain. 

Disruptive impact

Supply chain attacks can have severe long-term damage. A high-profile example is the December 2020 cyber attack on SolarWinds, which provides IT management software to government agencies and businesses. The hackers used the software updates to distribute malware to the company’s customers, including multiple US government agencies. This attack was significant because of the scale of the compromise and the fact that it went undetected for several months.

The damage is even worse when the target company provides essential services. Another example was in May 2021, when the global food company JBS was hit by a ransomware attack that disrupted its operations in multiple countries, including the US, Canada, and Australia. The attack was carried out by a criminal group known as REvil, which exploited a vulnerability in the company’s third-party software. The incident also affected JBS’s customers, including meatpacking plants and grocery stores. These companies faced shortages of meat products and had to find alternative sources or adjust their operations.

To protect against digital supply chain attacks, it is essential for businesses to have resilient and flexible security measures in place. These measures include conducting thorough due diligence on third-party providers, regularly updating and patching software and systems, and implementing strong security policies and procedures. It is also important for companies to educate their employees on how to identify and prevent potential attacks, including phishing attempts.

Implications of supply chain attacks 

Wider implications of supply chain attacks may include:

• The reduced utilization of third-party software and greater reliance on in-house solutions for sensitive data, particularly among government agencies.
• Increased budgets for internally developed cybersecurity measures, particularly among organizations that provide essential services like utilities and telecommunications.
• Increasing incidents of employees falling victim to phishing attacks or inadvertently introducing malware into their respective company’s systems.
• Zero-day attacks becoming commonplace as cybercriminals take advantage of software developers implementing regular patch updates, which can have multiple bugs that these hackers can exploit.
• The increasing use of ethical hackers hired to search for vulnerabilities in software development processes.
• More governments passing regulations that require vendors to provide a full list of their third-party suppliers, as well as potential audits of software development processes.

Questions to comment on

• How many third-party apps do you rely on for day-to-day business, and how much access do you allow?
• How much security do you believe is sufficient for third-party vendors?
• Should the government step in to enforce regulatory standards for third-party vendors?