Here’s an astonishing statistic for you: “97% of companies have been negatively impacted by a cybersecurity breach that occurred in their supply chain.”
Cybersecurity firm BlueVoyant commissioned a survey of 1,200 executives of large companies from North America, Europe, and Asia. The results were released in October 2021. Nearly every company surveyed has been negatively impacted by a supply chain breach; 93% said they directly suffered from a cybersecurity breach due to one of their suppliers’ security weaknesses.
Supply chain attacks are particularly pernicious, since a single exploited supplier can result in attacks on hundreds of companies or organizations.
For many companies the supply chain is the weak link in their cybersecurity protocols. You can do all the right things to protect yourself, including adopting a Zero Trust approach to your network security, but if you don’t make sure your vendors are equally conscientious you can be exposed to harm from a supply chain attack.
Types of Supply Chain Attacks
ENISA, the European Union Agency for Cybersecurity, monitors supply chain attacks. They have developed a taxonomy of supply chain attacks to allow for systematic analysis. The taxonomy is based on four fundamental elements of a supply chain attack:
- Attack technique used to compromise the supplier
- Supplier assets targeted
- Attack technique used to compromise the customer
- Customer assets targeted
What is particularly interesting about this taxonomy is where it begins: While most focus – and certainly most news stories — about supply chain attacks focus on how, which and how many victims are attacked — there is little discussion about the starting point. That is, the fact that a successful attack on the supplier is what sets the full chain in motion.
Supply chains are compromised with the same techniques used in direct attacks: malware, brute force attacks, social engineering, exploiting software vulnerabilities, etc. The ultimate targets can be anything that would be targeted in a direct attack: ransom, extortion, theft of personal data or trade secrets, espionage.
Examples of Supply Chain Attacks
The recent SolarWinds and Accellion Two attacks are among the highest profile supply-chain attacks.
The 2020 SolarWinds attack was conducted by hackers believed to be working on behalf of the Russian government. The attackers gained access to the SolarWinds network by exploiting a zero-day vulnerability in a third-party application or device, through a brute force attack, or through social engineering. Despite the extensive investigation of this attack, the precise mechanism has not been determined.
Once in, the attackers lurked for an extended period of time, to collect information, before injecting malicious software into the SolarWinds Orion applications monitoring platform during the build process. Finally, the compromised software was downloaded to customers via updates to software, where it was used to gather (i.e., steal) information.
One of the victims was FireEye, a cybersecurity firm with US government contracts. The attackers specifically targeted FireEye in order to gather information on government targets. It’s important to note that long view of the cybercriminals: The initial attack on SolarWinds was designed to gather information on organizations that were at least two steps downstream.
Victims of the SolarWinds attack included the US departments of Defense, Energy, Homeland Security, Treasury, State, Commerce, and Health. The attack also compromised major technology companies including Microsoft, Intel, and Cisco. SolarWinds estimated that 18,000 organizations may have downloaded the malware, although a far smaller number were actually compromised by activity on their systems.
According to a warning from Microsoft, Nobellium, the cybercriminals who launched the SolarWinds attack, are now launching attacks on resellers of cloud services. The hackers are trying to exploit the resellers’ access rights as well as trying to impersonate the resellers to gain trust of the end targets. Since May 2021 Microsoft has informed over 140 service providers and resellers that they’ve been targeted by Nobellium.
The Accellion breach started as a vulnerability in firewall equipment and became a global breach of sensitive personal and corporate information.
Accellion is a firewall vendor. In late 2020/early 2021 four different zero-day vulnerabilities were discovered in the company’s File Transfer Appliance (FTA). Cybercriminals used those vulnerabilities to install a backdoor to the FTA which allowed them to steal data from the networks of the victims.
The FTA app is used to transfer large files. Many of the files going through the FTA app are sensitive and/or valuable, so the hackers didn’t even have to spend a lot of effort hunting for valuable files: they were right there going through the app.
Healthcare organizations, including the US Department of Health and Human Services are thought to have been the most impacted by this supply chain attack, although many other organizations were also hit including the Australian Securities and Investments Commission, Bombardier, Stanford University, Royal Dutch Shell, and the Jones Day law firm.
The hackers made off with sensitive personal information, including social security numbers, financial information, health information, and credit card information.
Protecting Against Supply Chain Attacks
Supply chain attacks are notoriously difficult for end-victims to defend against since they originate with a presumably trusted vendor.
Since almost all organizations depend on vendors that leverage electronic supply chains, it’s important to perform cybersecurity due diligence on vendors, and monitor them to be sure they continue to follow good cybersecurity procedures. Accellion and SolarWinds are both being sued for negligence around their security practices.
This presents an organizational challenge. IT staff is often hard-pressed to manage internal requirements, much less finding time to check up on external providers. In addition, IT is seldom involved in vetting and approving vendors.
To reduce supply chain risk, best practices for customers call for identifying critical vendors and verifying their security practices. “Critical vendors” are those that either provide critical services to the corporation, or who have access to sensitive corporate information.
All critical vendors should be subject to a cybersecurity review as part of the company’s vendor management program. Since site visits may not be practical, you can look for independent audits that have been conducted to verify the vendor complies with cybersecurity best practices, including adoption of Zero Trust capabilities.
Particular attention should be paid to how the vendors defend their endpoints against web-based malware and phishing, since these delivery channels are involved in the vast majority of attacks. For instance, remote browser isolation might have stopped the SolarWinds attack before it began, if the original breach was carried out through social engineering. Likewise, microsegmentation might have halted a brute force attack before the malware reached the Orion monitoring platform.
Finally, adopting a Zero Trust approach, which operates on the assumption that breaches will occur, may help limit damage to your own network and data in the event that one of your vendors is compromised. For example, implementing least privilege access and microsegmentation can minimize damage that occurs in the event of a breach by restricting what the vendor can access.
 ENISA Threat Landscape for Supply Chain Attacks