What Is a Supply Chain Attack?
A supply chain attack is a type of cyberattack where a hacker breaches the systems of an upstream software or service retailer, distributor, or supplier to gain access to their customer’s downstream systems.
For example, a hacker may attempt to target a software provider and proceed to ship malicious software updates, including code and malware, to customers. These threats can target any segment of the software supply chain.
There are two main forms of supply chain compromise:
- Hardware supply chain attacks: Threat actors will compromise physical hardware components like USB drives and phones to infect other devices.
- Software supply chain attacks: Cybercriminals will infiltrate a software vendor’s environment or code base and make changes to it, to send harmful code and updates to customers.
Types of Software Supply Chain Attacks
Software supply chain hacks can come in many different shapes and sizes. Some of the most common types are listed below.
- Hacking the software development environment: Cybercriminals break into an organization’s software development environment to alter an application’s source code, deploying software updates that enable them to harvest the data of customers.
- Stealing certificates: Hackers can steal an organization’s code-signing certificates to make malicious tools appear safe and legitimate.
- Deploying compromised devices: Threat actors will infect hardware devices like USB drives, cameras, and phones with malware to spread malicious code to other devices and networks.
- Targeting firmware: Some entities will attempt to insert malware into a computer’s firmware so that it executes when the user boots it up.
Examples of Supply Chain Attacks
Over the past few years, there have been a number of high-profile software supply chain compromise incidents.
Major supply chain attacks | What, when, who |
SolarWinds supply chain attack | One of the biggest examples of a supply chain attack occurred in December 2020 when a threat actor managed to inject malicious code into SolarWinds’ environment and created a trojanized version of its Orion platform before deploying malicious updates to 18,000 downstream customers. |
3CX supply chain attack | Early in 2023, enterprise phone system provider 3CX was compromised when an employee downloaded a malware-infected version of Trading Technologies’ X_Trader financial software from the company’s website. The threat actors then used their access to 3CX’s systems to plant malware inside customer networks. |
Kaseya supply chain attack | In July 2021, hackers compromised Kaseya’s remote IT monitoring product VSA, which they used to gain access to the systems of over 1,000 organizations and demanded a ransom of $70 million for a universal decryption key. |
How Common Are Supply Chain Attacks?
These types of attacks are extremely common because cyber criminals know that if they can enter the environment of one high-value supplier, they can gain access to the internal systems of hundreds or even thousands of downstream customers.
In fact, research shows that in 2022, supply chain attacks surpassed the number of malware-based attacks by 40%, with 1,743 supply chain attacks impacting over 10 million people, compared to 70 malware-based attacks impacting 4.3 million people.
Simply by attacking a single supplier, a financially-motivated cybercriminal can generate a significant return on investment by gaining access to multiple customers’ internal environments.
The high frequency of supply chain attacks means that organizations need to be prepared to proactively assess the security preparedness of third-party providers before contracting their services.
How to Prevent Supply Chain Attacks
Preventing attacks is more difficult than traditional cyberattacks because an organization has no control over the security measures and procedures that upstream providers use to protect their data.
Instead, organizations have to conduct due diligence on their suppliers, taking steps such as conducting ongoing risk assessments and gathering information on security practices and certification to establish if software vendors are adequately protected against threat actors.
More specifically, there are some key steps that organizations can take to manage third-party risk and prevent data breaches:
- Conduct a risk assessment to identify vulnerabilities in the software supply chain;
- Build a formal risk management program to continuously assess supply chain risk;
- Continuously monitoring the security posture of third-party service providers throughout the contract lifecycle;
- Ask third parties whether they’re implementing security best practices, including using secure software development practices during development, maintaining a vulnerability disclosure and response program, having a patch management strategy, and maintaining an approved suppliers list and component inventory;
- Create a well-defined incident response plan to respond to breaches quickly if they do occur;
- Implement identity and access management and privileged access management to make it harder for attackers to move laterally within your network;
- Use threat intelligence to identify when new supply chain threats emerge.
Securing the Software Supply Chain
Securing the software supply chain is something that no organization relying on third-party suppliers can overlook.
While supply chain risk can’t be eliminated completely, being proactive and only working with certified service providers with a track record of investing in cybersecurity can go a long way toward limiting exposure to threat actors.