As we near the end of the erratic 2023, one thing remains certain: businesses globally are playing catch-up with the newest trends in cyber threats. While most companies have invested in cybersecurity — albeit often at the expense of productivity and profits — cybercriminals still have plenty of avenues to exploit. In the last few years, we’ve witnessed how missing key log messages and alerting have harmed businesses and governments around the world. Though the IT world now understands the concept of vulnerability, the cybersecurity industry is still in its infancy, just beginning to explore the full breadth of its potential when it comes to the holistic meaning of the notion. Clearly, running a network scanner or an agent-based vulnerability scanner is good, but truth be told, without a proper understanding of vulnerability concept and threat modeling, the workload and priority items coming from automated reports will overshadow controls, which are truly the real priority.
What is a supply chain attack?
A supply chain cyberattack targets an organization by compromising the security of its suppliers, vendors, or other third partners within its operational supply chain. Instead of directly attacking the target organization’s systems, networks, or employees, an attacker infiltrates a trusted entity within the supply chain, exploiting that entity’s trust and access vis-à-vis the target. Simply put, attackers are aware that enterprises and big companies with their mature supply chain cyber security practices are difficult targets. So, rather than breaking through the steel vault, they aim at the ventilation system.
Supply chain attacks can come in many forms. Generally, we can break them down into two types:
- A micro approach homes in on a narrow aspect of a business, such as an open-source repository.
- A macro approach targets a fundamental solution used by the business, like a file transfer system or an enterprise service.
2023 was marked by growth in supply chain attacks
In 2023, the MOVEit vulnerability led to a gigantic chain of record-breaking breaches. TechCrunch has reported that this single vulnerability cost businesses over $9.9 billion, with more than 1000 businesses and over 60 million individuals affected.
This example demonstrates why hackers opt for targeting intermediate stages (businesses, companies, or individuals) of the supply chain instead of major players. It’s a transition from the adversary groups that utilized sniper-like attacks to shotgun shell tactics, techniques, and procedures (TTP’s). And this trend is steadily increasing, leading to notable software supply chain attacks.
The SolarWinds software supply chain attack in 2020 was one of the largest in history. In 2021, Kaseya’s 60 customers and another 1,500 businesses were impacted by the cyberattack. Apple supplier Quanta has been the target of a $50 million ransomware attack. Authentication services provider Okta disclosed three breaches in 2022. Japanese carmaker Toyota Motors was forced to halt production due to a cyberattack suffered by one of its suppliers, Kojima Industries Corp, and we have already seen a software supply chain attack on popular desktop software 3CX as well as the MOVEit incident in 2023.
The estimated total damage from these seven attacks is around US $60 billion, and this doesn’t even account for the impact of government-imposed fines and legal actions related to privacy laws on both the affected businesses and companies that rely on them.
While we’ve been focusing on the macro level, what about the micro level?
Exploiting software vulnerabilities is a frequent cause of data breaches, ransomware, and various security incidents. These attacks are particularly successful because most organizations have multiple unaddressed vulnerabilities in their systems. Log4Shell, ProxyLogon, Spring4Shell, Confluence RCE, and ICMAD SAP are just a few instances of commonly targeted vulnerabilities that are well-known to security-focused developers, IT managers, and technically oriented IT engineers. Service- and software-based vulnerabilities are generally not categorized as supply chain exploitation. However, advanced persistent threat (APT) groups and state-sponsored hacking units may hold a different perspective.
If you’ve worked in a development environment, you’re likely familiar with the Agile methodology, which calls for creating something once, testing it thoroughly, and then establishing a process to replicate it, ideally through automation. Advanced persistent threats and state-sponsored hacking groups have adopted a similar mindset when it comes to exploiting vulnerabilities. Instead of targeting individual components like a single virtual machine or an isolated employee, they look for weaknesses in enterprise services software that can grant them access to multiple entities or systems.
Much like the broader IT community, hackers stay current with the latest technological and cultural trends. They adapt and evolve their tactics to maximize their chances of success and exploit vulnerabilities in a way that can yield greater results. For instance, they might choose to attack the enterprise server itself, which could have a vulnerability that allows them to bypass login measures. This makes their efforts more efficient and potentially more impactful.
Examples of recent supply chain cyberattacks
The sophistication of malware, the failure of some businesses to push toward cloud computing infrastructure, the growing popularity of remote work, and the surge of 5G, artificial intelligence, and the Internet of Things (IoT) on top of a deficit in cybersecurity knowledge collectively suggest that the ongoing sharp increase in the number of supply chain hacks is poised to persist or potentially escalate.
In 2023, we continue observing a significant increase in the volume of cross-compatible polymorphic malware and ransomware. Use of the Rust and Go programming languages in the payloads of this malware (exploiting features like memory safety, performance, and ease of use) enhances the chances of successfully reaching the final profit-generating step. Historically, this last step has been the most challenging, as it generates the most alerts and noise. Therefore, meticulous preparation is essential, and typically businesses are well-prepared for this critical phase.
Microsoft reports that threat actors have notably increased their sophistication in the past year, employing techniques that enhance their stealth. This endangers even the most experienced targets and enables malicious actors to advance from initial system access to full network control in under 45 minutes.
Only 15 years ago, we were researching Visual Basic to experiment by creating our own keyloggers. It was a grueling task, as even the learning resources were sparse. Now it would take us half the time to create the same piece of software, and it would be able to run across multiple operating systems, devices, and hardware configurations.
Cybersecurity breaches can have devastating consequences on businesses through the loss of their most priceless commodity — data — and can potentially lead a business to financial ruin. According to Cybercrime Magazine, about 60% of small and midsize businesses that fall victim to a cyberattack are forced to shut down completely within six months.
How supply chain attacks are impacting business
Data breaches. A supply chain attack often results in data breaches, in which sensitive and confidential information is exposed. According to Arcserve, in 2022 only 52% of organizations were able to restore their critical systems within 12 hours after a severe data loss event.
Financial losses. On top of direct financial losses, the consequences of supply chain cyberattacks include ransom payments, legal costs due to consumer litigation, and an overall reduction in production. Cybersecurity Ventures warns that cybercrime could potentially create a global economic strain of $10.5 trillion each year by 2025.
Operational disruption. Compromising the supply chain through software can disrupt production, logistics, and other critical functions, leading to lost revenue and harming customer relationships. The latest cybersecurity statistics claims that 65% of organizations that experienced a ransomware attack in 2023 faced more than six days of downtime afterward.
Reputational damage. As a result of a supply chain attack, customer trust and loyalty can hang in the balance, as customers demand robust data and asset protection; otherwise, they might seek alternatives. In 2022, companies faced an average cost of $1.5 million in reputational damage from a cyberattack.
Depending on industry nuances, the type of data at stake, and the specific circumstances, supply chain hacking can trigger legal responsibilities, regulatory repercussions, intellectual property theft, and cybersecurity challenges. This results in additional supply chain risk assessment and complex investigations, all impacting the longtail costs for business operations.
How Intellias can help
To effectively handle cyber threats in your supply chain management and ensure continued business success, it’s essential to focus on prevention rather than reaction. Cyber-resilient businesses can operate securely despite ongoing supply chain threats, enhancing customer trust and shareholder value. This involves conducting thorough risk assessments of supply chain partners, implementing robust security measures, monitoring for suspicious activity, and having a swift incident response plan in place. Collaboration with suppliers and partners is crucial for bolstering overall cybersecurity in the supply chain ecosystem.
At Intellias, we speak the language of the security industry. We have not only witnessed its evolution but have adapted to its dynamic nature. Our cybersecurity practice is firmly established, catering to an extensive global clientele in both the private and public sectors. We share the same goal: to not only reduce potential attack opportunities but also proactively address even the smallest security gaps within your organization’s policies. We achieve this through an end-to-end approach that includes applying the newest and most relevant tools, advanced technology, streamlined operations, legal measures, and strong policy enforcement, effectively deterring malicious activities. Our cybersecurity consulting services cover a broad range of actions, from assessing your company’s security posture to prioritizing critical assets and implementing protective measures. We also focus on developing robust recovery plans and consistently training your staff to equip them to handle evolving threats and build up your cyber resilience.