What Is a Supply Chain Attack?

A supply chain attack is a highly effective way of breaching security by injecting malicious libraries or components into a product without the developer, manufacturer or end client realizing it. It’s an effective way to steal sensitive data, gain access to highly sensitive environments, or gain remote control over specific systems.

Most at risk of a supply chain attack are third-party suppliers or vendors, such as major software developers and hardware distributors, who build and ship parts that they use to build their final products. They’re generally carried out to gain access to targets downstream of the supply chain. These cyber threats can affect any industry, from the financial and government sectors to the oil and gas industry.

Supply chain attacks in technology focus on software vendors and hardware manufacturers. Attackers search for unsafe code, unsafe infrastructure practices and unsafe network procedures that allow the injection of malicious components. When a build process requires several steps from development (or manufacturing) to installation, an attacker (or group of attackers) has several opportunities to inject malicious code into the final product.

Some manufacturers, vendors and developers build products used by thousands of clients. An attacker who can breach one of these suppliers could potentially gain access to thousands of unsuspecting victims, including technology companies, governments, security contractors and more. Instead of breaching just one targeted organization, a supply chain attack gives an attacker the potential to obtain access to numerous large and small businesses to silently exfiltrate extensive amounts of data without their knowledge.

In a hardware supply chain attack, a manufacturer can install a malicious microchip on a circuit board used to build servers and other network components. Using this chip, the attacker can eavesdrop on data or obtain remote access to the corporate infrastructure. In a software-level supply chain attack, a malicious library developer can change code to perform malicious actions within their client’s application. An attacker could use the library for cryptojacking, stealing data, or leaving a backdoor to remotely access a corporate system.

In many of the biggest supply chain threats, email fraud is the primary vector used to launch the attack. Business email compromise (BEC) works well for attackers who do their due diligence on their target. That’s because they can email key employees (e.g., finance) to instruct them to pay an invoice or send money. The sender’s address looks like that of the CEO or owner, and it’s written in a way that sounds urgent to the recipient. In some scenarios, the attacker compromises an email account for an executive and uses it to send phishing emails to employees within the organization.

• Physical supply chain threats: Physical supply chain threats usually require cooperation with manufacturers and vendors to inject components into circuit boards. Manufacturers follow a design plan to build components. A malicious manufacturer can add just one extra component to the circuit board to eavesdrop on data and send it to an attacker.
• Software supply chain threats: Organizations use software vendors to install their products on the network and perform functions like monitoring servers or allowing users to perform their daily tasks. Applications with unknown vulnerabilities enable a malicious threat actor to launch numerous attacks on organization systems.

• Digital supply chain threats: To decrease development time, software developers use a common third-party library to run a function in their applications. Should a third-party library developer inject malicious code into the product, any software developer that incorporates the infected library would be vulnerable.
• Business email compromise: An attacker who compromises a company email address can use it to piggyback on conversations and trick recipients into providing sensitive data or sending money to an attacker-controlled account.

• Data breaches and disclosure: In many supply chain attacks, especially hardware-based attacks, the malicious code eavesdrops on data and sends it to an attacker-controlled server. Attackers can breach data that passes through a system infected with malicious code, including potentially high-privileged account credentials for future compromises.
• Malware installation: Malicious code running within an application could be used to download malware and install it on the corporate network. Attackers could install ransomware, rootkits, keyloggers, viruses and other malware using injected supply chain attack code.

• Monetary loss: A targeted organization could lose millions if an employee is tricked into sending money to a bank account or paying fraudulent invoices.
• Operational disruptions: Successfully executed supply chain attacks can severely disrupt an organization’s operations, leading to costly downtime, delays, and crippled productivity.
• Reputational damage: When supply chain attacks affect the quality and reliability of an organization’s products or services, the outcome can severely damage its reputation, resulting in lost customer or vendor trust and loyalty.

It’s important for organizations to be aware of these sources of supply chain attacks and take steps to mitigate the risk. This can include implementing security measures such as multi-factor authentication, encryption, regular security audits, and vetting and monitoring third-party vendors and suppliers.

• General Vendors: Vendors that depend on third-party components are susceptible to supply chain attacks. In general attacks, threat actors don’t discriminate and target any available entity.
• Large Organizations and Government Agencies: Big organizations and government entities are often the focus of sophisticated attacks. A successful breach here can have catastrophic consequences, including potential loss of life.
• Security Vendors: Regarded as data custodians, these vendors are prime targets. If infiltrated, vast amounts of sensitive data, from financial records to personally identifiable information (PII), can be exposed.

• Managed Service Providers (MSPs): Overseeing organizational infrastructure makes MSPs especially attractive to attackers. Breaching an MSP can potentially grant access to the systems of multiple clients.
• Open-Source Projects: While open-source offers a platform for collaborative coding, it’s not without risks. All contributions require meticulous security checks to guard against exploitable flaws.
• Organizations with Public Employee Hierarchies: Threat actors exploit these organizations through fraud and impersonation schemes. Publicly available hierarchy information aids attackers in crafting phishing and social engineering tactics.

Several real-world attacks have already been launched against the supply chain but aren’t widely known to the general public because they supply developers and operations. These examples primarily impact corporate administrators who must contain, eradicate and remediate the vulnerabilities left by vendors affected by supply chain attacks.

A few real-world examples that affected large corporations include:

• MOVEit: This 2023 supply chain attack exploited an SQL injection vulnerability in MOVEit’s software, a managed file transfer platform. The attack affected over 130 organizations worldwide, including British Airways, the BBC, Zellis, and the Minnesota Department of Education.
• 3CX: In early 2023, this cyber attack targeted the 3CX software, a voice and video conferencing app. The attack, carried out by the North Korean hacking group UNC4736, affected at least 130 organizations worldwide, including several critical infrastructure organizations in the United States and Europe.
• SolarWinds: In 2020, attackers injected a backdoor into SolarWinds’ update distribution process, leaving corporate and government production servers open to remote access. Numerous organizations fell victim to data breaches and security incidents.
• Kaseya: The REvil ransomware infected MSP software that managed thousands of customer environments, allowing attackers to demand $70 million from MSP customers.
• Codecov: Attackers infected the Codecov Bash uploader to automatically send reports to customers. With malicious code injected into its scripts, attackers eavesdropped and stole customer data from Codecov servers.
• NotPetya: NotPetya was fake ransomware used to trick users into paying a fee, but no private key was ever delivered, leaving victims with data and monetary loss. The attack started when malicious code infected a Ukrainian update application.
• Atlassian: In 2020, security researchers found that Atlassian apps were vulnerable due to an exploit against their Single Sign-On (SSO) procedure. Using SSO tokens, attackers accessed applications and performed actions related to the user account.
• British Airways: British Airways suffered a data breach after the Magecart supply chain attack compromised their transaction system and disclosed sensitive information.
• Community housing non-profit: Attackers spoofed a vendor domain to trick non-profit employees into divulging sensitive data so that attackers could steal £1 million in rent money.

Because supply chain attacks target developers and manufacturers outside of your organization’s control, they are difficult to stop. You should always review any code or hardware before installing it on your infrastructure. Security professionals can perform a penetration test on these components to ensure they don’t have any maliciously injected system vulnerabilities or exploitable ones accidentally introduced.

Although supply chain attacks are outside your control, you can still employ the following strategies to avoid becoming a victim:

• Set up a honeypot: A honeypot of fake data that looks like sensitive, valuable information acts like tripwires to alert administrators that the system could be under attack or compromised. Honeypots should work and look like regular systems and data and should have monitoring in place to allow administrators to identify how an attacker could breach the environment.
• Limit privileged accounts: Lateral moves across a network are common in supply chain attacks that compromise high-privileged accounts. Limiting access to only a few accounts and ensuring accounts can only access data necessary to perform a function also limits risk.
• Staff training: Training staff to embrace the importance of cybersecurity and how to detect and defend against insider threats reduces risk. Security awareness training ensures that individuals understand and follow certain practices to help optimize an organization’s security.
• Implement an Identity Access Management (IAM) system: An IAM provides a centralized dashboard for administrators to control data access and create and disable accounts across the entire enterprise. The advantage is that administrators can better manage network permissions in one location and identify potential privilege mismanagement.
• Work with zero trust architecture (ZTA): Instead of trusting authenticated users, a zero trust environment assumes that all applications and users could be attackers and require reauthorization and authentication for every data access request.
• Identify vulnerable resources: In a risk assessment, a professional audits all resources on the network and identifies the most vulnerable ones with the most risk. Administrators can then prioritize cybersecurity controls on the riskiest infrastructure and protect any resources attackers could target.
• Minimize access to sensitive data: For sensitive data, including intellectual property and files containing trade secrets, organizations must limit access to only high-privilege users and monitor successful and unsuccessful access requests to identify any compromises.
• Monitor vendor access and resources: Third-party vendors pose the most significant risk in supply chain attacks. Many vendors don’t realize they are a target and pose a risk to their clients, so any access or implementation of third-party vendor resources should be reviewed for vulnerabilities.
• Apply strict shadow IT rules: Shadow IT resources are any devices unauthorized to access the network environment. This issue poses a risk when the organization also offers a bring-your-own-device (BYOD) policy, allowing users to connect with their own desktop or mobile devices. These devices should be heavily monitored and have antivirus software installed.
• Be aware of insider threats: Human error is a primary attack vector for phishing and social engineering threats. Your risk assessment and review should also identify potential insider threats and human errors that could result in a severe data breach or compromised system.
• Use email cybersecurity to block spoofed senders: Your email servers should stop spoofed senders from reaching a recipient’s inbox and use artificial intelligence to stop spoofed domains and known attack sites.
• Train employees to detect malicious messages: Employee training is key to reducing the risk of human error. Simulated phishing attacks empower employees to identify phishing attacks and social engineering.
• Put policies in place for invoice payments: To avoid paying fraudulent invoices, put payment policies in place to validate invoices and get authorization before sending money to any bank account.

To understand how your organization could be vulnerable to a supply chain attack, you must first conduct due diligence and perform an internal risk assessment. After the SolarWinds supply chain attack, many organizations realized the importance of risk assessments to protect the internal environment from these third-party threats.

A supply chain risk assessment involves a systematic process by which an organization identifies, assesses, and mitigates the risks associated with its supply chain. This involves identifying and documenting supply chain channels, including suppliers, plants, warehouses, logistics, and other relevant components, and evaluating the likelihood and potential impact of each identified risk.

During a risk assessment, professionals not only identify risks but also help the organization design and manage them. Risk mitigation requires proper cybersecurity controls and a zero-trust environment to stop threats properly. In many cases, the organization must redesign its authorization controls and user privileges to reduce risk.

Proofpoint staff are experts in supply chain attacks and how threats pose a risk to your data privacy, compliance and cybersecurity defenses. We offer extensive services that protect a primary attack vector—email. We secure the supply chain for several industries, including healthcare, financial services, education, manufacturing and more.