Table of Contents
A supply chain attack is a highly effective way of breaching security by injecting malicious libraries or components into a product without the developer, manufacturer or end client realising it. It’s an effective way to steal sensitive data, gain access to highly sensitive environments, or gain remote control over specific systems.
Most at risk of a supply chain attack are third-party suppliers or vendors, such as major software developers and hardware distributors, who build and ship parts that they use to build their final products. They’re generally carried out to gain access to targets downstream of the supply chain. These cyber-threats can affect any industry, from the financial and government sectors to the oil and gas industry.
Cybersecurity Education and Training Begins Here
Here’s how your free trial works:
- Meet with our cybersecurity experts to assess your environment and identify your threat risk exposure
- Within 24 hours and minimal configuration, we’ll deploy our solutions for 30 days
- Experience our technology in action!
- Receive report outlining your security vulnerabilities to help you take immediate action against cybersecurity attacks
Fill out this form to request a meeting with our cybersecurity experts.
Thank you for your submission.
How a Supply Chain Attack Works
Supply chain attacks focus on software vendors and hardware manufacturers. Attackers search for unsafe code, unsafe infrastructure practices, and unsafe network procedures that allow the injection of malicious components. When a build process requires several steps from development (or manufacturing) to installation, an attacker (or group of attackers) has several opportunities to inject malicious code into the final product.
Some manufacturers, vendors, and developers build products used by thousands of clients. An attacker who can breach one of these suppliers could potentially gain access to thousands of unsuspecting victims, including technology companies, governments, security contractors, and more. Instead of breaching just one targeted organisation, a supply chain attack gives an attacker the potential to obtain access to numerous large and small businesses to silently exfiltrate extensive amounts of data without their knowledge.
In a hardware supply chain attack, a manufacturer can install a malicious microchip on a circuit board used to build servers and other network components. Using this chip, the attacker can eavesdrop on data or obtain remote access to the corporate infrastructure. In a software-level supply chain attack, a malicious library developer can change code to perform malicious actions within their client’s application. An attacker could use the library for cryptojacking, stealing data, or leaving a backdoor to remotely access a corporate system.
In many of the biggest supply chain threats, email fraud is the primary vector used to launch the attack. Business email compromise (BEC) works well for attackers who do their due diligence on their target. That’s because they can email key employees (e.g., finance) to instruct them to pay an invoice or send money. The sender’s address looks like that of the CEO or owner, and it’s written in a way that sounds urgent to the recipient. In some scenarios, the attacker compromises an email account for an executive and uses it to send phishing emails to employees within the organisation.
- Physical supply chain threats: Physical supply chain threats usually require cooperation with manufacturers and vendors to inject components into circuit boards. Manufacturers follow a design plan to build components. A malicious manufacturer can add just one extra component to the circuit board to eavesdrop on data and send it to an attacker.
- Software supply chain threats: Organisations use software vendors to install their products on the network and perform functions like monitoring servers or allowing users to perform their daily tasks. Applications with unknown vulnerabilities enable a malicious threat actor to launch numerous attacks on organisation systems.
- Digital supply chain threats: To decrease development time, software developers use a common third-party library to run a function in their applications. Should a third-party library developer inject malicious code into the product, any software developer that incorporates the infected library would be vulnerable.
- Business email compromise: An attacker who compromises a company email address can use it to piggyback on conversations and trick recipients into providing sensitive data or sending money to an attacker-controlled account.
- Data breaches and disclosure: In many supply chain attacks, especially hardware-based attacks, the malicious code eavesdrops on data and sends it to an attacker-controlled server. Attackers can breach data that passes through a system infected with malicious code, including potentially high-privileged account credentials for future compromises.
- Malware installation: Malicious code running within an application could be used to download malware and install it on the corporate network. Attackers could install ransomware, rootkits, keyloggers, viruses, and other malware using injected supply chain attack code.
- Monetary loss: A targeted organisation could lose millions if an employee is tricked into sending money to a bank account or paying fraudulent invoices.
- Operational disruptions: Successfully executed supply chain attacks can severely disrupt an organisation’s operations, leading to costly downtime, delays, and crippled productivity.
- Reputational damage: When supply chain attacks affect the quality and reliability of an organisation’s products or services, the outcome can severely damage its reputation, resulting in lost customer or vendor trust and loyalty.
It’s important for organisations to be aware of these sources of supply chain attacks and take steps to mitigate the risk. This can include implementing security measures such as multi-factor authentication, encryption, regular security audits, and vetting and monitoring third-party vendors and suppliers.
- General Vendors: Vendors that depend on third-party components are susceptible to supply chain attacks. In general attacks, threat actors don’t discriminate and target any available entity.
- Large Organisations and Government Agencies: Big organisations and government entities are often the focus of sophisticated attacks. A successful breach here can have catastrophic consequences, including potential loss of life.
- Security Vendors: Regarded as data custodians, these vendors are prime targets. If infiltrated, vast amounts of sensitive data, from financial records to personally identifiable information (PII), can be exposed.
- Managed Service Providers (MSPs): Overseeing organisational infrastructure makes MSPs especially attractive to attackers. Breaching an MSP can potentially grant access to the systems of multiple clients.
- Open-Source Projects: While open-source offers a platform for collaborative coding, it’s not without risks. All contributions require meticulous security checks to guard against exploitable flaws.
- Organisations with Public Employee Hierarchies: Threat actors exploit these organisations through fraud and impersonation schemes. Publicly available hierarchy information aids attackers in crafting phishing and social engineering tactics.
Several real-world attacks have already been launched against the supply chain but aren’t widely known to the general public because they supply developers and operations. These examples primarily impact corporate administrators who must contain, eradicate, and remediate the vulnerabilities left by vendors affected by supply chain attacks.
A few real-world examples that affected large corporations include:
- MOVEit: This 2023 supply chain attack exploited an SQL injection vulnerability in MOVEit’s software, a managed file transfer platform. The attack affected over 130 organisations worldwide, including British Airways, the BBC, Zellis, and the Minnesota Department of Education.
- 3CX: In early 2023, this cyber attack targeted the 3CX software, a voice and video conferencing app. The attack, carried out by the North Korean hacking group UNC4736, affected at least 130 organisations worldwide, including several critical infrastructure organisations in the United States and Europe.
- SolarWinds: In 2020, attackers injected a backdoor into SolarWinds’ update distribution process, leaving corporate and government production servers open to remote access. Numerous organisations fell victim to data breaches and security incidents.
- Kaseya: The REvil ransomware infected MSP software that managed thousands of customer environments, allowing attackers to demand $70 million from MSP customers.
- Codecov: Attackers infected the Codecov Bash uploader to automatically send reports to customers. With malicious code injected into its scripts, attackers eavesdropped and stole customer data from Codecov servers.
- NotPetya: NotPetya was fake ransomware used to trick users into paying a fee, but no private key was ever delivered, leaving victims with data and monetary loss. The attack started when malicious code infected a Ukrainian update application.
- Atlassian: In 2020, security researchers found that Atlassian apps were vulnerable due to an exploit against their Single Sign-On (SSO) procedure. Using SSO tokens, attackers accessed applications and performed actions related to the user account.
- British Airways: British Airways suffered a data breach after the Magecart supply chain attack compromised their transaction system and disclosed sensitive information.
- Community housing non-profit: Attackers spoofed a vendor domain to trick non-profit employees into divulging sensitive data so that attackers could steal £1 million in rent money.
Best Practices to Protect Against Supply Chain Attacks
Because supply chain attacks target developers and manufacturers outside of your organisation’s control, they are difficult to stop. You should always review any code or hardware before installing it on your infrastructure. Security professionals can perform a penetration test on these components to ensure they don’t have any maliciously injected system vulnerabilities or exploitable ones accidentally introduced.
Although supply chain attacks are outside your control, you can still employ the following strategies to avoid becoming a victim:
- Set up a honeypot: A honeypot of fake data that looks like sensitive, valuable information acts like tripwires to alert administrators that the system could be under attack or compromised. Honeypots should work and look like regular systems and data and should have monitoring in place to allow administrators to identify how an attacker could breach the environment.
- Limit privileged accounts: Lateral moves across a network are common in supply chain attacks that compromise high-privileged accounts. Limiting access to only a few accounts and ensuring accounts can only access data necessary to perform a function also limits risk.
- Staff training: Training staff to embrace the importance of cybersecurity and how to detect and defend against insider threats reduces risk. Security awareness training ensures that individuals understand and follow certain practices to help optimise an organisation’s security.
- Implement an Identity Access Management (IAM) system: An IAM provides a centralised dashboard for administrators to control data access and create and disable accounts across the entire enterprise. The advantage is that administrators can better manage network permissions in one location and identify potential privilege mismanagement.
- Work with zero trust architecture (ZTA): Instead of trusting authenticated users, a zero trust environment assumes that all applications and users could be attackers and require reauthorisation and authentication for every data access request.
- Identify vulnerable resources: In a risk assessment, a professional audits all resources on the network and identifies the most vulnerable ones with the most risk. Administrators can then prioritise cybersecurity controls on the riskiest infrastructure and protect any resources attackers could target.
- Minimise access to sensitive data: For sensitive data, including intellectual property and files containing trade secrets, organisations must limit access to only high-privilege users and monitor successful and unsuccessful access requests to identify any compromises.
- Monitor vendor access and resources: Third-party vendors pose the most significant risk in supply chain attacks. Many vendors don’t realise they are a target and pose a risk to their clients, so any access or implementation of third-party vendor resources should be reviewed for vulnerabilities.
- Apply strict shadow IT rules: Shadow IT resources are any devices unauthorised to access the network environment. This issue poses a risk when the organisation also offers a bring-your-own-device (BYOD) policy, allowing users to connect with their own desktop or mobile devices. These devices should be heavily monitored and have antivirus software installed.
- Be aware of insider threats: Human error is a primary attack vector for phishing and social engineering threats. Your risk assessment and review should also identify potential insider threats and human errors that could result in a severe data breach or compromised system.
- Use email cybersecurity to block spoofed senders: Your email servers should stop spoofed senders from reaching a recipient’s inbox and use artificial intelligence to stop spoofed domains and known attack sites.
- Train employees to detect malicious messages: Employee training is key to reducing the risk of human error. Simulated phishing attacks empower employees to identify phishing attacks and social engineering.
- Put policies in place for invoice payments: To avoid paying fraudulent invoices, put payment policies in place to validate invoices and get authorisation before sending money to any bank account.
Supply Chain Risk Assessment
To understand how your organisation could be vulnerable to a supply chain attack, you must first conduct due diligence and perform an internal risk assessment. After the SolarWinds supply chain attack, many organisations realised the importance of risk assessments to protect the internal environment from these third-party threats.
A supply chain risk assessment involves a systematic process by which an organisation identifies, assesses, and mitigates the risks associated with its supply chain. This involves identifying and documenting supply chain channels, including suppliers, plants, warehouses, logistics, and other relevant components, and evaluating the likelihood and potential impact of each identified risk.
During a risk assessment, professionals not only identify risks but also help the organisation design and manage them. Risk mitigation requires proper cybersecurity controls and a zero-trust environment to stop threats properly. In many cases, the organisation must redesign its authorisation controls and user privileges to reduce risk.
How Proofpoint Can Help
Proofpoint staff are experts in supply chain attacks and how threats pose a risk to your data privacy, compliance, and cybersecurity defences. We offer extensive services that protect a primary attack vector – email. We protect the supply chain for several industries, including healthcare, financial services, education, manufacturing, and more.