Businesses globally are playing catch-up with the newest trends in cyber threats. While most companies have invested in cybersecurity — albeit often at the expense of productivity and profits — cybercriminals still have plenty of avenues to exploit.
In the last few years, we’ve witnessed how missing key log messages and alerting have harmed businesses and governments around the world. Though the IT world now understands the concept of vulnerability, the cybersecurity industry is still in its infancy, just beginning to explore the full breadth of its potential when it comes to the holistic meaning of the notion.
Clearly, running a network scanner or an agent-based vulnerability scanner is good, but truth be told, without a proper understanding of vulnerability concept and threat modeling, the workload and priority items coming from automated reports will overshadow controls, which are truly the real priority.
This article examines the current landscape of supply chain attacks and provides practical advice on how to protect against them. Drawing on 20+ years of experience Intellias has in cybersecurity, we outline only flexible and effective strategies to safeguard your business from advanced cyber threats.
What is a supply chain attack?
A supply chain cyberattack targets an organization by compromising the security of its suppliers, vendors, or other third partners within its operational supply chain. Instead of directly attacking the target organization’s systems, networks, or employees, an attacker infiltrates a trusted entity within the supply chain, exploiting that entity’s trust and access vis-à-vis the target. Simply put, attackers are aware that enterprises and big companies with their mature supply chain cyber security practices are difficult targets. So, rather than breaking through the steel vault, they aim at the ventilation system.
Types of software supply chain attacks
Supply chain attacks can come in many forms. Generally, we can break them down into two types:
- A micro approach homes in on a narrow aspect of a business, such as an open-source repository.
- A macro approach targets a fundamental solution used by the business, like a file transfer system or an enterprise service.
Let’s start with the most dangerous macro attacks.
Software update attacks
Keeping software up to date is crucial for security. But what if the updates themselves are the problem? Here’s how a software update attack works: hackers gain access to the update’s code repository and compromise it. When you install the update, you allow a cybercriminal to infiltrate your system.
The most alarming aspect of this type of malware supply chain attack is that the malicious code can steal your confidential data or use your computer to attack other systems.
Since many of us have software programmed to update itself automatically, these attacks pose a major threat. Hackers can quickly reach numerous computers through automatic updates.
Third-party software attacks
Many companies use third-party code snippets to save time and effort. However, this approach carries risks. Hackers can target these small bits of code, deploying fake versions or manipulating the original code for malicious purposes. Detecting such malicious code during testing is challenging because attackers often design it to activate only under specific conditions.
Open-source software attacks
Open-source software attacks are similar to those targeting third-party software. Cybercriminals focus on open-source projects, which are accessible to everyone, including hackers. This makes them vulnerable to security breaches. Even small changes to the code can create vulnerabilities. Attackers can also develop fake open-source tools to trick users into downloading them instead of legitimate software.
Managed service provider (MSP) attacks
In this type of supply chain attack, cybercriminals target the tools MSPs use to manage their clients’ IT infrastructure. If successful, attackers gain access to the MSP’s systems and potentially the systems of the customers they manage. This intrusion can lead to the theft of sensitive data such as network details and customer passwords. These incidents exploit the trusted relationship between MSPs and their customers and often bypass standard security measures, making them particularly concerning.
Development tool attacks
The malicious intent here is to incorporate vulnerabilities into the software as it is being built. Development tool attacks target the software development process by compromising developer workstations, version control systems, or continuous integration pipelines to inject malicious code. These attacks are particularly sophisticated because they target the very tools that ensure the security of the software.
Relying solely on proprietary software isn’t always feasible for businesses. Using multiple software environments increases the attack surface, making it harder to defend against vulnerabilities. This highlights the ongoing challenge of maintaining strong cybersecurity.
Supply chain attacks in 2020-2023 & forecasts for 2024-2031
The SolarWinds software supply chain attack in 2020 was one of the largest in history. In 2021, Kaseya’s 60 customers and another 1,500 businesses were impacted by the cyberattack. Apple supplier Quanta has been the target of a $50 million ransomware supply chain attack. Japanese carmaker Toyota Motors was forced to halt production due to a cyberattack suffered by one of its suppliers, Kojima Industries.
Indeed, supply chain breaches can have devastating consequences on businesses through the loss of their most priceless commodity — data — and can potentially lead a business to financial ruin. According to Cybercrime Magazine, about 60% of small and midsize businesses that fall victim to a cyberattack are forced to shut down completely within six months.
Speaking of 2023, we can’t but mention a software supply chain attack on popular desktop software 3CX. Also, in 2023, the MOVEit vulnerability led to a gigantic chain of record-breaking breaches. TechCrunch has reported that this single vulnerability cost businesses over $9.9 billion, with more than 1000 businesses and over 60 million individuals affected.
Another 2023 cyberattack on Bank of America’s service provider, Infosys McCamish Systems, has exposed the personal data of thousands of customers.
These seven supply chain incidents underline the enormity of the damage in the wake of a cyberattack, not to mention the regulatory fines and damages awarded by courts following legal action.
In 2023, more than 245,000 open-source software attacks were detected. These attacks targeted weak spots in JavaScript, Java, Python, .NET and the like. The number of attacks was almost three times higher than in 2022 and more than twice the total number of supply chain hacks from 2019 to 2022.
In April 2024, unsettling news emerged about a major business analytics software provider, Sisense, being hacked, potentially exposing the data of thousands of its high-profile clients. Additionally, a popular JavaScript tool Polyfill.io was compromised in a supply chain attack affecting more than 100,000 websites. Recent supply chain attacks on WordPress compromised its add-ons, used by up to 36,000 websites.
These cases demonstrate why hackers target intermediate stages (businesses, companies, or individuals) of the supply chain instead of major players. Hackers would unlikely be able to attack Bank of America as easily as they attacked its service provider. This trend is steadily increasing, leading to potential software supply chain attacks in the upcoming years.
According to Gartner, nearly half of all companies worldwide will face attacks on their software supply chains by 2025, three times more than in 2021.
Another prediction is that by 2025, the cost of supply chain attacks is expected to rise to $60 billion. Looking further ahead, we can anticipate this cost to grow to $138 billion by 2031, increasing by about 15% each year.
While we’ve been focusing on the macro level, what about the micro level?
Exploiting software vulnerabilities is a frequent cause of data breaches, ransomware, and various supply chain incidents. These attacks are particularly successful because most organizations have multiple unaddressed vulnerabilities in their systems. Log4Shell, ProxyLogon, Spring4Shell, Confluence RCE, and ICMAD SAP are just a few instances of commonly targeted vulnerabilities that are well-known to security-focused developers, IT managers, and technically oriented IT engineers. Service- and software-based vulnerabilities are generally not categorized as supply chain exploitation. However, advanced persistent threat (APT) groups and state-sponsored hacking units may hold a different perspective.
If you’ve worked in a development environment, you’re likely familiar with the Agile methodology, which calls for creating something once, testing it thoroughly, and then establishing a process to replicate it, ideally through automation. Advanced persistent threats and state-sponsored hacking groups have adopted a similar mindset when it comes to exploiting vulnerabilities. Instead of targeting individual components like a single virtual machine or an isolated employee, they look for weaknesses in enterprise services software that can grant them access to multiple entities or systems.
Much like the broader IT community, hackers stay current with the latest technological and cultural trends. They adapt and evolve their tactics to maximize their chances of success and exploit vulnerabilities in a way that can yield greater results. For instance, they might choose to attack the enterprise server itself, which could have a vulnerability that allows them to bypass login measures. This makes their efforts more efficient and potentially more impactful.
Examples of recent supply chain attacks
The sophistication of malware, the failure of some businesses to push toward cloud computing infrastructure, the growing popularity of remote work, and the surge of 5G, artificial intelligence, and the Internet of Things (IoT) on top of a deficit in cybersecurity knowledge collectively suggest that the ongoing sharp increase in the number of supply chain hacks is poised to persist or potentially escalate.
In 2023, we continue observing a significant increase in the volume of cross-compatible polymorphic malware and ransomware. Use of the Rust and Go programming languages in the payloads of this malware (exploiting features like memory safety, performance, and ease of use) enhances the chances of successfully reaching the final profit-generating step. Historically, this last step has been the most challenging, as it generates the most alerts and noise. Therefore, meticulous preparation is essential, and typically businesses are well-prepared for this critical phase.
Microsoft reports that threat actors have notably increased their sophistication in the past year, employing techniques that enhance their stealth. This endangers even the most experienced targets and enables malicious actors to advance from initial system access to full network control in under 45 minutes.
Only 15 years ago, we were researching Visual Basic to experiment by creating our own keyloggers. It was a grueling task, as even the learning resources were sparse. Now it would take us half the time to create the same piece of software, and it would be able to run across multiple operating systems, devices, and hardware configurations.
Presenting cross-platform supply chain cyber threats is much easier today than 15 years ago when even basic malware took time and effort to develop. Hacking tools and information are readily available, allowing bad actors to carry out more advanced and far-reaching attacks.
Let’s examine some notable examples of supply chain attacks in 2024 and recent years.
Kaseya
Kaseya’s VSA product, which helps IT teams manage computers and networks, was attacked by hackers in July 2021. About 60 customers who used this software on their own computers (not through the Internet) were directly affected.
Since many of these customers provided IT services to other businesses, the supply chain cyberattack spread further. In total, about 1,500 businesses were impacted. The hackers used ransomware to lock up computer files and demanded $70 million to provide a key to unlock all the affected computers.
Apple and Quanta
Apple faced a cybersecurity scare when one of its suppliers, Quanta, was hit by a ransomware attack. A Russian hacker group, REvil, broke into Quanta’s servers and stole sensitive information about Apple’s product designs.
The hackers demanded $50 million to keep the stolen data private. When Quanta refused, REvil started leaking details about Apple’s new iMac and other unreleased products. They did it during Apple’s big product launch event to grab maximum attention.
Toyota and Kojima Industries
In 2022, Kojima Industries, a supplier of plastic parts and electronic components for Toyota, discovered malware on its system along with a threatening note in English. This cyberattack prevented Kojima from sending parts to Toyota, forcing Japan’s largest car manufacturer to shut down 14 factories and halt production of about 13,000 cars.
This incident shows that supply chains, especially those involving smaller suppliers, can be extremely vulnerable to cyberattacks.
Bank of America and Infosys McCamish Systems
In November 2023, Bank of America fell victim to a cyberattack due to a breach at its service provider, Infosys McCamish Systems (IMS). Shockingly, Bank of America was unaware of the incident for 21 days, when IMS finally notified them.
During this time, cybercriminals gained unauthorized access to highly sensitive data of Bank of America customers, including names, addresses, email addresses, dates of birth, social security numbers, and other account details.
Around 57,000 Bank of America customers had their information exposed. While significant, it’s only a small part of the bank’s total customers.
Sisense
In early 2024, Sisense, a provider of business analytics software, experienced a cybersecurity breach. This incident raised alarm because Sisense serves many high-profile clients across industries.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert urging Sisense customers to reset their credentials and watch for any suspicious activity in their systems.
This breach could have a big impact, as Sisense serves over 2,000 clients worldwide, including major corporations including Verizon and Air Canada.
Polyfill.io
In February 2024, cyber attackers targeted websites using Polyfill.io, a tool for improving website performance on older browsers. The attack involved injecting malicious code into these websites, redirecting visitors to inappropriate sites.
The malware was cleverly designed to be compatible with specific mobile devices. What’s more, admins had no way to detect it. Experts warned it could cause further damage, like unauthorized data access. Companies like Cloudflare now offer secure alternatives to help website owners transition away from Polyfill.io.
WordPress
In June 2024, WordPress fell victim to a supply chain attack. Hackers inserted malicious code into five WordPress add-ons, potentially affecting 36,000 websites. When website owners installed these add-ons, cybercriminals created accounts that gave them full control over the websites.
The attack has been active since June 21. Website owners using WordPress add-ons should check if they need to remove them immediately and inspect their sites for suspicious changes.
Software supply chain attacks can have serious consequences, often leading to multiple issues at once, including regulatory issues and a potential drop in customer confidence. Here’s a summary of how supply chain attacks impact companies.
How supply chain attacks are impacting business
Supply chain security breaches. A supply chain attack often results in data breaches, in which sensitive and confidential information is exposed. According to Arcserve, in 2022, only 52% of organizations were able to restore their critical systems within 12 hours after a severe data loss event.
Financial losses. On top of direct financial losses, the consequences of supply chain cyberattacks include ransom payments, legal costs due to consumer litigation, and an overall reduction in production. Companies lost on average $1.5 million from cyberattacks in 2022. Furthermore, Cybersecurity Ventures warns that cybercrime could potentially create a global economic strain of $10.5 trillion each year by 2025.
Operational disruption. Compromising the supply chain through software can disrupt production, logistics, and other critical functions, leading to lost revenue and harming customer relationships. The latest cybersecurity statistics claim that 65% of organizations that experienced a ransomware attack in 2023 faced more than six days of downtime afterward.
Reputational damage. As a result of a supply chain attack, customer trust and loyalty can hang in the balance, as customers demand robust data and asset protection; otherwise, they might seek alternatives.
Depending on industry nuances, the type of data at stake, and the specific circumstances, supply chain hacking can trigger legal responsibilities, regulatory repercussions, intellectual property theft, and cybersecurity challenges. This results in additional supply chain risk assessment and complex investigations, all impacting the longtail costs for business operations.
Defense strategies for supply chain attacks
How can you avoid these consequences? Even when major corporations get hacked, there’s hope. You can protect your company from data leaks, fines, blackmail, and damage to your reputation with these best practices:
Know your suppliers
Your supply chain management architecture includes a wide range of services, from software systems to the tools your IT team uses. Make a list of all the companies you work with. Then, go through the list one by one, research their security practices and history of security issues.
Use multiple layers of security
Don’t rely on just one security measure. Use firewalls, antivirus programs, and systems that alert you to suspicious activity. If one layer fails, others can still protect you.
Limit access and educate employees
Grant employees access only to what they need. This minimizes damage if the account gets hacked. Introduce cybersecurity policies and educate employees on potential threats.
Have a backup plan
Keep backups separate from your main systems. It will be easier to recover your data in case of an attack. Plan who needs to be informed and how to escalate the response.
Regularly test your systems
Run penetration tests to uncover vulnerabilities before hackers exploit them.
Use advanced tech to monitor and secure your supply chain network
Implement AI and ML to secure supply chains. These technologies can predict risks, detect anomalies in supplier behavior, and more.
These practices will set you up for a great start. For added security, consider hiring professionals like penetration testing consultants. Cybersecurity experts can offer advanced insights to spot risks you might miss. Just be sure to choose reliable providers, as with any supplier.
How Intellias can help
To effectively handle cyber threats in your supply chain management and ensure continued business success, it’s essential to focus on prevention rather than reaction. Cyber-resilient businesses can operate securely despite ongoing supply chain threats, enhancing customer trust and shareholder value. This involves conducting thorough risk assessments of supply chain partners, implementing robust security measures, monitoring for suspicious activity, and having a swift incident response plan in place. Collaboration with suppliers and partners is crucial for bolstering overall cybersecurity in the supply chain ecosystem.
At Intellias, we speak the language of the security industry. We have not only witnessed its evolution but have adapted to its dynamic nature. Our cybersecurity practice is firmly established, catering to an extensive global clientele in both the private and public sectors. We share the same goal: to not only reduce potential supply chain attack opportunities but also proactively address even the smallest security gaps within your organization’s policies. We achieve this through an end-to-end approach that includes applying the newest and most relevant tools, advanced technology, streamlined operations, legal measures, and strong policy enforcement, effectively deterring malicious activities.
Our cybersecurity consulting services cover a broad range of actions, from assessing your company’s security posture to prioritizing critical assets and implementing protective measures. We also focus on developing robust recovery plans and consistently training your staff to equip them to handle evolving threats and build up your cyber resilience.