The supply chain has become a magnet for cyber breaches. The infamous SolarWinds attack was the most devastating and caused a ripple effect of supply chain attacks seen in full force in recent years. Additionally, the recent Kaseya attack which affected hundreds of businesses raised the need for further dedicated attention to attacks concerning managed service providers.

The key to supply chain attacks is the interconnectedness of the global markets. There are multiple customers relying on the same supplier, and therefore, the consequences of a cyber-attack against this supplier are amplified, potentially resulting in a large-scale national or even cross-border impact. 

The latest trends and patterns indicate the increase in supply chain attacks from 2020 and seem to continue in 2021. More than 50% of the supply chain attacks were attributed to well-known cybercrime groups. Yet, incidents of supply chain nature take a longer time to investigate, and even then, attribution is difficult. And such statistics bring us to necessitating new protective methods that guarantee security. They stress the need for policymakers and the security community to address potential supply chain attacks in the future and to mitigate their impact.

Timeline of supply chain attacks

Let’s look at the timeline of attacks that took place in the recent past to understand the lifecycle and patterns in a better manner: 

supply chain cyber attacks timeline from Jan 2020source: Enisa

  • SolarWinds (supply management and monitoring software company) uses Orion as its network management system. In December 2020, SolarWinds discovered that Orion had been compromised and attackers had gained access to the SolarWinds network, possibly through exploiting a zero-day vulnerability in a third-party application or device, or through social engineering. Reportedly, the malicious software was injected into Orion during the build process and the impact was unimaginable. It became a benchmark in supply chain attacks in recent history and a lesson for many.
  • Not much later, in Jan 2021, Mimecast (supplier of cloud-based cybersecurity services) discovered that attackers had compromised Mimecast (through the SolarWinds supplier). This led to the attackers having access to the Mimecast-issued certificate that is used by customers to access Microsoft 365 services. And thus, giving them the ability to intercept the network connections and to connect to the Microsoft 365 accounts. Needless to say, the impact compromised multiple vendors, accounts, and customers.
  • Kaseya, another software service provider offering VSA (Virtual System/Server Administrator) software was under attack via zero-day vulnerability detected in Kaseya’s own systems (CVE-2021-3011632) that enabled the attackers to remotely execute commands. The incident happened in July 2021 and attackers followed up with high ransomware demands.

Evidently, in the timeline (image above), the incidents occurred and were reported more in 2021 than the previous year. Out of these 24 confirmed supply chain attacks, 8 (33%) were reported in 2020 and 16 (66%) from January 2021 to early July 2021. So, the trend forecasts that 2021 may have 4 times more supply chain attacks than 2020.

In at least 11 attacks out of them, investigations confirmed that the supply chain attacks were conducted by known APT groups. While in the thirteen cases the incidents were not fully investigated or attribution was not possible. This means, the lifecycle of a supply chain attack can resemble the work of APT attacks; however, attribution of attackers is difficult, prone to error, imprecise, and a challenge for CISOs and the team.

Ruben Gomes, a cybersecurity consultant, shares: ‘Companies need to adopt a Zero Trust philosophy towards their suppliers. This means there should be no automatic assumption of authenticated trust between the client and supplier networks. Furthermore, for a matter of improved visibility, it’s imperative that a software bill of materials reaches the client for all software deployments. This way companies know exactly what components (open source or commercial) have been used to build that piece of software and are able to monitor these for known vulnerabilities during their lifecycle.’’

Lifecycle of a supply chain attack

The lifecycle of a supply chain attack has two main stages, the attack on the supplier and the attack on the customer. Each of these attacks is usually complex, requiring one attack vector, one plan of action, and meticulous execution. These attacks may take months to be successful and, in many cases, may go undetected for a long time. Additionally, hackers utilise techniques like phishing emails and MiTM to target the weakest link in cybersecurity – the human element

table explaining supply chain attack techniques As per the Enisa report, in terms of suppliers’ assets, most attacks aimed to compromise – Code (66%), Data (20%), and Processes (12%). The compromised suppliers’ assets are used as an attack vector to compromise the customers. And those attacks are mostly done by either abusing the trust of the customer (62%) in the supplier or by using malware (62%). Independently of the technique used, most supply chain attacks aim at gaining access to customer data (58%), key people (16%), and financial resources (8%).

When we asked Ankita Dhakan (Founder of Security Lit, New Zealand) how companies can address and strengthen the response to supply chain attacks, she touched upon a couple of things that can be done to improve the reaction to supply chain attacks.

profile image of ankita dhakan

  1. RBAC( Role-Based Access Control):- The concept of role-based access control closely connects to the idea that an employee should only have access to the information that is necessary to fulfil his or her day-to-day tasks so usually employees will not have access to the sensitive data which decreases the attack surface
  2. Employee On-boarding training: Educating employees should be considered one of the most important things an organisation can do to improve its overall security posture. It is possible for data breaches to occur when employees are readily misled by phishing emails or other types of fraudulent campaigns.
  3. Performing Vendor Review: Companies should be required to conduct a vendor review before purchasing or using any product or service. During this assessment, they should evaluate the security of the product and the data permissions that the product is requesting. The security of the product should be assessed before any sensitive permissions such as read/write access to data are granted.  

Increased interdependencies and complexities lead to a higher impact on attacks and far-reaching consequences. And trends do not suggest otherwise for the coming 2022. Uprising cyber risk would mean more cyber resilience and strengthening of the pillars of cybersecurity in the coming future. While the efforts of customers and suppliers individually do not seem to be enough, initiatives at the industry level are the need of the hour. 

Google introduced, in June 2021, an end-to-end framework for ensuring the integrity of software artefacts throughout the software supply chain called SLSA (Supply chain Levels for Software Artifacts). And that’s a good start to coming together of industry giants to shield businesses. 

Stay tuned for more insights and updates with our newsletter. Sign up here!