A supply-chain attack happens when the hacker targets a weaker, less secure third-party supplier, in order to reach the intended, more secure target.
Usually, this takes the form of a supply-chain where multiple companies work together in a network and have partial access to each other’s systems.
Supply-chain attacks have two attack vectors:
Software supply-chain attacks are much more common nowadays due to the sheer size of the software industry. Moreover, many apps and online services are not made from scratch.
They contain a lot of third-party components, codes, APIs, and so on. This is what the hackers use to gain access to the company’s system.
Let me use a famous data breach to exemplify how supply-chain attacks work – the Target attack in 2013:
This is a classic case of supply-chain attack. The intended victim was Target but the hackers didn’t attack it head-on.
Instead, they went for the unexpected. They attacked a less secure third-party supplier of Target, stole its passcode credentials, and entered Target’s system.
They then installed a malware which spread into almost 2,000 of Target’s nationwide stores, stealing over 40 million credit and debit card numbers.
The reason why this attack was so effective is because it was unexpected. Any company expects to be attacked head-on by hackers, and that’s why they invest so much into robust cybersecurity systems.
But hackers got smart and realized they’d have more success by going after the weakest link in the network – the HVAC supplier in this case.
So, here are the basics of supply-chain attacks:
Five simple steps to hack a company.
This formula seems so simple and yet it is so difficult to counter. That’s mainly because it’s hard to ensure that all your suppliers employ airtight cybersecurity systems.
Cybersecurity is almost always a weakest-link dilemma. A company’s cybersecurity system is as strong as its weakest link.
Even the most robust security solutions fail miserably when the hackers use a moment of inattention from a company employee to steal access credentials, bypassing the security system entirely.
I have four infamous supply-chain attacks to tell you about, some of which happened recently. Take a look:
The SolarWinds attack emphasizes two core factors behind supply-chain attacks:
In this case, the attack came from an unexpected source (SolarWinds software supplier) but came in a package everyone expected and trusted (software updates).
None of the government officials had any doubt that what they were installing that day was just another software update. They’d done this a thousand times before. It wasn’t going to be any different this time.
But it was.
Through the backdoor into SolarWinds, the hackers spied on all the organizations who had installed the update, accessed their data, performed data breaches, and more.
Back in July 2021, the Revil ransomware gang, a known pro-Russian hacker group, hacked Kaseya, a cloud-based managed security services provider.
The company offers client monitoring and patch management for their clients and is also operating on the Cloud.
This was a global-scale supply-chain attack that used a zero-day vulnerability on the Kaseya VSA servers. The company had already known about the vulnerability and were in the process of patching it.
However, REvil managed to exploit the vulnerability before the patch came out, and infected the whole system. They demanded ransoms ranging from $45,000 to $5,000,000.
The hackers distributed an encryption file on the Cloud to all of Kaseya’s customers. They also disabled Microsoft Defender mechanisms where necessary and avoided detection from antiviruses by using an older version of Microsoft’s antivirus.
By utilizing these attack pathways, REvil was able to expand the distribution radius of its ransomware multiple-fold.
In short, CodeCov is a software testing organization. They provide code-coverage tools to their customers.
In January 2021, they suffered a data breach where hackers modified their Bash uploader script to redirect customer data and other sensitive information to a private server that they owned.
This attack used the supply-chain formula because the modified script was spread to individual customers of CodeCov as they downloaded it.
The larger attack radius was made possible through the fact that CodeCov acted as a software supplier to its clients.
NotPetya is one of the most infamous cyberattacks in history. It was attributed to Russia by Ukraine, the US, the UK, Canada, and Australia. It was effectively an act of cyber-war.
The malware became well-known after it attacked Mondelez, a multinational food company based out of Chicago. After it infected their systems, the malware disrupted the email systems, file access, and logistics for several weeks.
Mondelez filed an insurance claim for $100 million with their insurer, Zurich. However, the latter refused to pay the insurance citing the fact that NotPetya was a warlike action and thus did not fall under the insurance.
This became the headline of every news station in the world back then. Mondelez took the matter to court and the trial still hasn’t concluded.
While it’s unclear how the malware spread, it’s believed that it was a supply-chain attack.
Supply-chain attacks are not impossible to counter. There are verified methods that mitigate them partially or completely:
A Zero Trust Architecture relies on the “never trust, always verify” core principle. It assumes that any outward traffic might be malicious, no matter the source.
Therefore, any connection request that wants to access IP (intellectual property) or sensitive data needs to go through a strict verification process.
Only after it passes the verification is the request honored and it gains access to the company’s assets.
Usually, a good ZTA:
This type of security mitigates lateral movement through the company’s network. So, even if an attacker gains initial access, ZTA ensures that it cannot spread to other systems in the network.
Every system requires its own authorization and validation, including from agents inside the network.
Honeytokens are essentially bait for hackers. They appear as valuable data and will send a network-wide alarm when hackers interact with them.
Their sole purpose is to act as decoys and warn the network administrator that there’s a data breach ongoing.
They’ve proven extremely effective at combating supply-chain attacks and not only. Through honeytokens, a company can learn:
So, when used correctly (and if the hacker is oblivious enough), honeytokens can prove instrumental in stopping data breaches and capturing the criminal red-handed.
Any online business should assume that they will suffer a data breach. It’s not a matter of “if” but a matter of “when”.
This simple change in mentality means that you will implement more proactive security measures instead of relying on defense all the time.
This could mean assessing all possible points of entry into your company’s network, develop mitigation strategies for all vulnerable vectors, and cultivating awareness.
Here’s what you can do proactively:
Proactivity instead of passivity is the key to a robust solution against supply-chain attacks.
As I keep saying, your security system is as strong as your weakest link. And often, those weak links are your third-party collaborators.
If they’re small-scale companies, their cybersecurity systems may not be as advanced. Employee cybercrime awareness may be non-existent or limited, or they may have vulnerabilities in their systems.
It’s your job to monitor network vulnerabilities and see whether your vendors might contribute to a data leak through unsecure access channels.
To mitigate this, you should implement a Third-Party Risk Management strategy:
Prevention trumps everything when it comes to cyber-threats. You can’t possibly predict when an attack will occur and what infiltration method it’ll be using. What you can do is prepare as best as you can.
Another easy way of protecting your databases and systems is to segment your network into smaller networks.
Remember, a supply-chain attack works by infiltrating a network and spreading across multiple end-points and software.
By segmenting the network, you effectively limit the spread radius of a malware after the initial access.
There’s also a well-defined method of segmenting your network – you identify your business functions (product development, supply, marketing, social media, etc.) and use that as a basis.
So, you’ll have the overall network split into:
Once a supply-chain attack occurs, it won’t affect your entire network but a part of it, depending on where the initial access took place.
If only your supply network segment was affected, then you can channel all cybersecurity efforts to that part of the network.
Both attack prevention and mitigation become more effective once network segmentation is achieved.
In the best of cases, it can even render supply-chain attacks harmless because it localizes them.
Supply-chain attacks are incredibly versatile in their attack patterns. They almost always come from the most unexpected sources, and when you notice the data breach, it’s already too late.
But there are ways to fight against it:
Implementing these measures should protect you against the vast majority of supply-chain attacks.
But always assume the worst. It’s only a question of “when”, not “if” you’ll go through a data breach. Cybercriminals are always evolving, the infiltration methods get more insidious, and it’s harder to catch them.
Having an incident response plan ready for when the next infiltration occurs is still the best proactive move you can have!
RedRiver – Warnings (& Lessons) of the 2013 Target Data Breach
Checkpoint – SolarWinds Sunburst Attack: What Do You Need to Know and How Can You Remain Protected?
Checkpoint – “Kaseya Attack”: Over 1,000 Organizations Globally Attacked on Fourth of July Weekend, Biggest Supply Chain Attack Since Sunburst
GitGuardian – Codecov Supply Chain Breach – Explained Step by Step
Brookings – How the NotPetya Attack Is Reshaping Cyber Insurance
ColorTokens – 10 Reasons Why Enterprises Need Zero Trust Security
CrowdStrike – What Are Honeytokens?
UpGuard – What Is an Information Security Policy?
UpGuard – What Is the Principle of Least Privilege?
HealthITSecurity – Multi-Factor Authentication Blocks 99.9% of Automated Cyberattacks
BlueVoyant – Third-Party Risk Management (TPRM): A Complete Guide
PaloAltoNetworks – What Is Network Segmentation?