A supply chain attack is an attack strategy that targets an organization through vulnerabilities in its supply chain. These vulnerable areas are usually linked to vendors with poor security practices.
A data breach through a third-party vendor is possible because vendors require access to sensitive data to integrate with internal systems. When a vendor is compromised, this shared pool of data is breached.
Because each vendor stores sensitive data for multiple clientele, a single supply chain attack often results in multiple businesses suffering an intellectual property breach.
Joe Biden's Cybersecurity Executive Order includes a section specifically devoted to improving supply chain security, this is a cyberthreat the entire Nation must take seriously.
Types of Supply Chain Attacks
Software supply chain attacks target either the source code, update mechanism, or build processes of vendor software. A victim could be compromised by any of the following vectors:
- Third-party software updates
- Malware installed on connected devices, for example, external hard drives, cameras, phones, etc.
- Application installers
How Does a Supply Chain Attack Work?
Supply chain attacks piggyback legitimate processes to gain uninhibited access into a business's ecosystem.
This attack begins with infiltrating a vendor's security defences. This process is usually much simpler than attacking a victim directly due to the unfortunate myopic cybersecurity practices of many vendors.
Penetration could occur via multiple attack vectors. Once injected into a vendor's ecosystem, the malicious code needs to embed itself into a digitally signed process of its host.
This is the key to gaining access to a vendor's client network. A digital signature verifies that a piece of software is authentic to the manufacturer, which permits the transmission of the software to all networked parties.
By hiding behind this digital signature, malicious code is free to ride the steady stream of software update traffic between a compromised vendor and its client network.
The malicious payload that compromised the U.S government was injected into a SolarWinds Dynamic Link Library file (.dll file). This file was a digitally signed asset of SolarWinds Orion software, the disguise nation-state hackers needed to gain access to SolarWind's client base.
Compromised vendors unknowingly distribute malware to their entire client network. The software patches that facilitate the hostile payload contain a backdoor that communicates with all third-party servers, this is the distribution point for the malware.
A popular service provider could infect thousands of businesses with a single update, helping threat actors achieve a higher magnitude of impact with a lot less effort.
SolarWinds announced that up to 18,000 of its customers were infected through its compromised software update across a wide spectrum of verticals including, government, consulting, telecommunications, and technology.
When a victim installs a compromised software update from a service provider, the malicious code is also installed with the same permissions as the digitally signed software, and the cyberattack is initiated.
Once installed, a remote access trojan (RAT) is usually activated to give cybercriminals access to each infected host for sensitive data exfiltration.
The SolarWinds supply chain attack was unique in that the hackers didn't initiate remote control immediately. Rather, the malware lay dormant for two weeks before initiating contact with a command and control server (a remote session manager for compromised systems also known as C2) via a backdoor.
Each initiated remote connection was a subdomain of avsvmcloud[.]com containing a string that was unique to each victim. This string, which at first glance seemed like a random arrangement of letters, was an encoded identifier of each victim's local network domain.
The graphic below summarises the Solarwinds supply chain attack operation. The overall process of third-party injection, malware deployment, and initiation of data communications via a back door is the basic framework of all supply chain attacks.
A supply chain attack could be used as a prelude to a mass ransomware attack. Or, as was the case with the SolarWinds breach, it could be a reconnaissance mission for a future, more sinister, attack.
The destructive efficiency of nation-state's supply chain attack is evidence of how dangerously vulnerable many businesses are to breaches from their third-party vendors.
Examples of Supply Chain Attacks
Supply chain attacks allow cybercriminals to infect a multitude of victims without having to deploy phishing attacks on each individual target. This increased efficiency has boosted the prevalence of this attack method of late.
Here are some popular examples of supply chain attacks.
U.S government supply chain attack
Date: March 2020
This event will likely be the ubiquitous example of a supply chain attack deep into the future. In March 2020 nation-state hackers penetrated internal U.S government communications through a compromised update from its third-party vendor, Solarwinds.
The attack infected up to 18.000 customers globally including six U.S government departments:
- The Department of Energy
- The National Nuclear Security Administration
- The U.S Department of State
- The U.S Department of Commerce
- The U.S Department of the Treasury
- The Department of Homeland Security
Investigations are still ongoing. It may take months, or even years, to discover the final impact of a cyberattack dubbed by experts as one of the most sophisticated supply chain attacks ever deployed.
Target supply chain attack
Date: February 2014
Target USA suffered a significant data breach after cybercriminals accessed the retailer's sensitive data through a third-party HVAC vendor. Cyber attackers accessed Personal Identifiable information (PII) and financial information impacting 70 million customers and 40 million debit and credit cards.
Attackers breached the HVAC third-party vendor via an email phishing attack.
Equifax supply chain attack
Date: September 2017
Equifax, one of the largest credit card reporting agencies, suffered a data breach via an application vulnerability on their website. The breach impacted over 147 million of Equifax's customers, The stolen sensitive data included social security numbers, drivers license numbers, birth dates, and addresses.
Paradise Papers supply chain attack
Date: November 2017
Confidential offshore investment documents, dubbed as Paradise Papers. were breached via third-party law firm Appleby. The sensitive data exposed 13.4 million investment records of the wealthy 1% including, Donald Trump, Justin Trudeau, Vladimir Putin's son-in-law, and even Queen Elizabeth.
Panama Papers supply chain attack
Date: April 2016
Panamanian law firm Mossack Fonseca, leaked over 2.6 terabytes of sensitive client data in a breach. The breach revealed the devious tax evasion tactics of over 214,000 companies and high ranking politicians.
Law firms tend to be the most desirable cyberattack targets due to the treasure trove of highly sensitive, and therefore highly valuable, customer data they store in their servers.
Supply Chain Attack Statistics
The adoption of this cyber attack method is growing at an alarming rate. According to a study by Symantec, supply chain attacks increased by 78% in 2019. This prevalence is expected to further increase as threat actors, motivated by the success of the US government breach, switch their preference to this attack method.
The cost of supply chain attacks
The financial impact of a supply chain attack could be monumental, regardless of the size of a business. Multiple factors contribute to the resulting cost such as breach investigation efforts, loss of business due to reputation damage, and regulatory fines.
According to a report from IBM and the Ponemon Institute, the average cost of data breaches in 2020 was USD 3.86 million and the average time to identify and contain a reach was 280 days - that's over 9 months.
The average data breach cost in the United State is the highest at USD 8.19 million per breach.
In the United States, the healthcare and financial industries incur the highest data beach costs due to their stricter regulatory requirements for protecting sensitive data.
The average cost per data breach in the healthcare and finance industries is USD 7.13 million and USD 5.56 million respectively.
In addition to regulatory burdens, the high price of data breaches is a result of the prolonged remediation time of each incident. 280 days is about 75% of the year, which is a significant amount of time to pay for additional corrective action while profit margins dwindle, or even, plummet.
The key to driving down costs in the event of a supply chain attack is to have a finely tuned remediation process at hand that can be activated at speed.
Speedy detection and remediation could also minimize the time cyber attackers spend in your ecosystem, which will in turn minimize the amount of compromised sensitive data.
How to Prevent Supply Chain Attacks
The key to defending your digital supply chain is to ensure each of your third-party vendors are compliant with the strictest of cybersecurity standards as outlined in a Third-Party Risk Management framework.
Complacency is the primary cause of supply chain attack vulnerability. This is partly due to the fact that businesses are unaware of how susceptible even the most trusted vendors are to data breaches.
To keep your third-party vendors compliant, security questionnaires should be sent to each of them on a regular basis to continuously scrutinize their security posture.
Each questionnaire should be tailored to a specific industry and adjusted for each business's unique requirements. You could create the questionnaires yourself or, ideally, instantly populate and send them from a sophisticated third-party risk management solution.
Related: Vendor risk assessment questionnaire template
To give your business the best chances of mitigating supply chain attacks, these questionnaires should be sent immediately after noticing a drop in the security score for a particular vendor.
Two-factor authentication could also prevent supply chain attacks. If Vendors activate this security protocol, threat actors will be presented with an additional chasm to cross between themselves and a vendor's internal systems.
To further your study of how to mitigate the impact of supply chain attacks, refer to these other resources in our supply chain attack security series: