Supply chain attacks are becoming easier to accomplish as companies extend their list of suppliers with every service, piece of software or app downloaded by individual employees. Few organizations even know precisely how many suppliers they actually have, leaving numerous new entry points for threat actors.
Threat actors love supply chain attacks because they let cyber criminals claim many victims with the time and effort that it takes to compromise just one organization. While the attacks committed are similar, there’s evidence that the type of threat actor executing the attack are now very different from the typical threat actor of last year. Supply chain attacks are generally associated with nation-state sponsored groups aiming to conduct cyber-espionage or to disrupt critical infrastructure. It’s become essential for companies to recognize that recent supply chain attacks are no longer solely the domain of such groups.
Financially motivated cybercriminals have now smelled blood and are circling their targets’ suppliers. Typically, these newer supply chain predators are more likely financially, rather than politically, motivated. Such attackers will steal login credentials of the supplier or vendor to gain access to the organization’s systems, then possibly deploying ransomware to extort cash from the target organizations. Attackers do this through phishing attacks, social engineering, or by exploiting vulnerabilities in the supplier’s external systems to steal sensitive data that’s often related to the organization’s operations or its customers.
This year has so far seen a spike in supply chain cyber-attacks affecting an enormous number of vendors. In March, the 3CX supply chain attack targeted Windows and macOS desktop apps, highlighting concern about security of the software users’ supply chains. The attackers managed to inject malicious code into the apps and force infected machines to download an encrypted file containing command and control (C2) information. This let the attackers perform malicious activities within each victim’s environment. This highlights the vulnerability of software supply chains, as even a seemingly minor breach can have far-reaching consequences for customers who trust and rely on the software. In February, a recent supply chain cyberattack also targeted an unidentified business partner of the semiconductor company Applied Materials, disrupting shipments and costing an estimated $250 million in Q1 2023.
Companies should now understand that every addition to their supply chains extends their security boundaries. The first step to securing an organization against supply chain attacks: build an accurate real-time model of the entire supply chain. This means using automated discovery techniques to detect all third-party technologies and vendors, simplifying the process of maintaining a complete, up-to-date inventory of third-party suppliers. Security teams can augment this by adding any third-party organizations not scoped through automated discovery. The next stage requires real-time detection of attack surface risks in the company’s digital supply chain with continuous monitoring of third-party deep and dark web risks, such as malware infections, exposed credentials, and data leaks.
It's also now absolutely essential to have real-time knowledge of when a trusted third-party vendor experiences a security incident. A major data breach or ransomware attack on a third-party supplier may immediately exposes not only the company itself, but also its customers, partners and shareholders. Security teams must take immediate and effective action to safeguard the rest of the supply chain, as well as the company itself. But, as the time available in the case of a professional attack to secure so many attack vectors is so limited, security teams must prepare for such an event well in advance of any actual attack on a company or its myriad third-party suppliers. Security staff and consultants must stay in a constant state of awareness, particularly at the end of the working week, as Friday afternoon is the threat actors’ favourite time to perpetrate frauds, such as spear phishing, on staff who are winding down and anxious to go home. In such cases, it’s also wise to offer security staff Monday off in lieu of a Friday-Saturday on alert in the same way Sunday newspapers traditionally give their journalists the Monday off.
Managers can no longer consider ignorance of the current scale of supply chain attacks an excuse for inaction as the chances of being hit are rising rapidly. A survey conducted by IBM in 2021 found that 20% of companies surveyed that had experienced at least one successful attack found their digital supply chain to be responsible for the breach. With attacks now more prevalent, companies must now accept the strong likelihood they will suffer one and not merely see it as a remote possibility.
Yochai Corem, chief executive officer, Cyberint
