What is a supply chain attack? - Definition, examples & more | Proofpoint USA (2023)

Attacks on technology supply chains are focused on software vendors and hardware manufacturers. Attackers look for insecure code, insecure infrastructure practices, and insecure network techniques that allow malicious components to be injected. When a build process requires multiple steps from development (or manufacture) to installation, an attacker (or group of attackers) has multiple opportunities to inject their own malicious code into the final product.

Some manufacturers, vendors, and developers build products that are used by thousands of customers. An attacker who manages to breach any of these providers could potentially gain access to thousands of unsuspecting victims, including tech companies, governments, security firms, and more. Rather than breaching just one target organization, a supply chain attack offers an attacker the potential to gain access to numerous organizations large and small in order to silently exfiltrate massive amounts of data without their knowledge.

In a hardware supply chain attack, a manufacturer can install a malicious microchip on a circuit board used to build servers and other network components. The attacker can use this chip to eavesdrop on data or gain remote access to the company infrastructure. In a software-level supply chain attack, a malicious library developer can modify the code to perform malicious actions in their customer's application. The library could be used for cryptojacking, data theft, or leaving a backdoor for remote access to a corporate system.

For many of the biggest supply chain threats, email fraud is the primary attack vector.Business Email Compromise (BEC)works well for attackers doing their due diligence and researching their target. That's because they can send email messages to key employees (e.g. finance) to instruct them to pay a bill or send money. The return address looks like the CEO or owner and is written in a way that makes it sound urgent to the recipient. In some scenarios, the attacker compromises an executive email account and uses it to send phishing emails to employees within the organization.

Types of Supply Chain Attacks

Any organization that installs infrastructure using third-party vendors is vulnerable to supply chain attacks, but there are three main attacks to be aware of. The three types of attacks are:

• Supply chain physical threats:Physical supply chain threats typically require collaboration with manufacturers and suppliers to inject components into circuit boards. Manufacturers are given an engineering plan that they must follow to build components. A malicious manufacturer can only add an additional component to the circuit board to eavesdrop and send data to an attacker.
• Software Supply Chain Threats:Organizations use software vendors to install their products on the network and perform functions such as monitoring servers or enabling users' daily tasks. Applications with unknown vulnerabilities allow a malicious attacker to launch numerous attacks on organizational systems.
• Digital Supply Chain Threats:To reduce development time, software developers use a shared third-party library to perform a function in their application. Should a third-party library developer inject malicious code into the product, any software developer integrating the infected library would be vulnerable.
• Business Email Compromise:Using fake invoices, an attacker sends messages to finance employees to trick them into paying. Other attackers could trick HR into diverting payroll payments to their own account by pretending to be another employee. If an attacker can compromise a corporate email address, it can be used to steal conversations and trick recipients into revealing sensitive information or sending money to an attacker-controlled account.

What are the effects of supply chain attacks?

Many organizations are unfamiliar with how supply chain attacks work, and therefore have no idea what happens when they fall victim to this type of attack. The impact of an attack on the supply chain can destroy company revenue, brand reputation and supplier relationships.

The three main impacts of supply chain attacks are:

• Privacy Breaches and Data Disclosure:In many supply chain attacks, particularly hardware-based attacks, malicious code eavesdrops on data and sends it to an attacker-controlled server. Any data passing through a system infected with malicious code could be breached, including potentially stealing highly privileged account credentials for future compromise.
• Malware-Installation:Malicious code running within an application could be used to download and install malware on the corporate network.Ransomware, rootkits,Keylogger, viruses and other malware could be installed with injected supply chain attack code.
• loss of money:If an employee is tricked into transferring money into a bank account or paying fraudulent bills, a compromised organization could lose millions.

Any vendor that relies on third parties to develop a product is vulnerable to supply chain attacks. In general attacks, threat actors focus on any target, not a specific organization. However, for sophisticated attacks, threat actors focus on government agencies or large organizations worth billions. In state-sponsored attacks, a threat actor focuses on governments and their infrastructure. These attacks could cost lives if theMalwarecrashes critical systems.

Security vendors are perfect targets. Organizations trust security providers to protect their data and reputation. With malicious code surreptitiously placed within security company infrastructure and controls, an attacker can stealthily harvest data from large enterprise systems and send it to an attacker-controlled network. Data vulnerable to these attacks can be financial,Personally identifiable information (PII), patient information and employee data.

A Managed Service Provider (MSP) is another primary goal. These companies support the organizational infrastructure and have systems in place to monitor activities. Access to one MSP system would give an attacker access to numerous MSP client systems. With the right malicious code, the attacker could access MSP credentials and give attackers access to the client infrastructure. Another option for the attacker would be skimming credit card numbers from payment dashboards and customer support systems.

Open source is a great way for developers to collaborate with other developers to improve their code. If other developers contribute to the code base, the code should be checked for security vulnerabilities. These bugs could be accidentally added to the code base or added on purpose. Since most open source projects are publicly available to other developers, an inadvertent security flaw in the code could be discovered by an attacker before a helpful third party. The attacker could then write code to exploit the vulnerability, leaving any companies using the open-source code open to targeted exploits.

Any organization with an employee hierarchy that is posted on social media or the organization's website is a target for BEC. An attacker can collect a list of highly privileged accounts for phishing, social engineering, or tricking employees into paying fraudulent bills. Once enlightened, an attacker can "become" the person they want to use to trick employees into sending money or paying the bills. In some scenarios, vendors to the organization could also be at risk. An attacker could compromise a provider's email account and use it to send targeted emails to highly privileged employees within the victim organization.

Several real-world attacks against the supply chain have already been launched, but are not known to the general public as they supply developers and operations. The popular real-world examples primarily impact enterprise administrators who need to contain, remediate, and remediate the vulnerabilities left by vendors hit by supply chain attacks.

Some real life examples affecting large companies are:

• Solarwind:In 2020, attackers inserted a backdoor into the SolarWinds update distribution process, leaving corporate and government production servers open to remote access. Numerous organizations have been victims of data breaches and security incidents.
• Cashier:MSP software infected with REvil ransomware, used to manage thousands of customer environments, allows attackers to demand $70 million from MSP customers.
• Code code:Attackers infected codecov bash uploader to automatically send reports to customers. Using malicious code injected into its scripts, attackers eavesdropped and stole customer data from Codecov servers.
• Niece Petya: Not Petyawas fake ransomware that was used to trick users into paying a fee, but never provided a private key, leaving victims with data and monetary losses. The attack began when a Ukrainian update application was infected with malicious code.

• Atlassian:In 2020, security researchers found that Atlassian apps were vulnerable due to an exploit against their single sign-on (SSO) mechanism. Using SSO tokens, attackers could access applications and perform actions related to the user account.
• British Airways:British Airways suffered a data breach after the attack on Magecart's supply chain compromised its transaction system and exposed sensitive information.
• Shared apartments non-profit:Attackers spoofed a provider's domain to trick non-profit workers into divulging sensitive data so attackers could steal £1million in rental funds.

Because supply chain attacks target developers and manufacturers outside of your organization's control, they are difficult to stop. You should always review any code or hardware before installing it in your infrastructure. Security experts also perform penetration testing on these components to ensure they do not have any unanticipated vulnerabilities that were maliciously injected into your system, or exploitable vulnerabilities that were accidentally introduced into the system.

Although supply chain attacks are beyond your control, you can still employ several strategies to avoid becoming a victim. Here are a few strategies:

• Set up a honeypot:Ahoney potof fake data that looks like sensitive, valuable information acts as tripwires to warn administrators that the system may be under attack or compromised. Honeypots should behave and look like normal systems and data, and be monitored so administrators can see how an attacker might be entering the environment.
• Restrict privileged accounts:Lateral movement across a network is common in supply chain attacks that compromise highly privileged accounts. Restricting access to only a few accounts and ensuring accounts can only access data necessary to perform a function also limits risk.
• Training of employees:Educating employees to understand the importance of cybersecurity and the many ways they can identify and protect against insider threats has been shown to reduce risk.security awareness traininghelps ensure that individuals understand and follow certain practices to keep an organization safe.
• Implement an Identity Access Management (IAM) system:An IAM provides administrators with a centralized dashboard to control data access and create and disable accounts across the organization. The benefit is that administrators can better manage permissions across the network in one place and identify potential permissions mismanagement.
• Working with Zero Trust Architecture (ZTA):Instead of trusting authenticated users, a Zero Trust environment assumes that all applications and users could be attackers and require reauthorization and authentication for every data access request.
• Identify vulnerable resources:In a risk assessment, a professional examines all resources in the network and identifies which are most vulnerable and pose the greatest risk. Admins can then prioritize cybersecurity controls for the riskiest infrastructure and protect any assets attackers might target.

• Minimize access to sensitive data:With sensitive data, including intellectual property and files containing trade secrets, organizations must restrict access to users with high privileges and monitor successful and unsuccessful access requests to identify compromises.
• Monitor access and resources from providers:Third-party vendors pose the greatest risk in supply chain attacks. Many vendors are unaware that they are a target and pose a risk to their customers, so any access or implementation of third-party resources should be assessed for vulnerabilities.
• Apply strict shadow IT rules:Shadow IT resources are any devices that are not authorized to access the network environment. This issue poses a risk if the organization also offers a bring-your-own-device (BYOD) policy that allows users to connect with their own desktop or mobile devices. These devices should be closely monitored and have antivirus software installed.
• Watch out for insider threats:Human error is a primary attack vector forPhishingand social engineering threats. Your risk assessment and review should also identify potential insider threats and human error that could result in serious harmdata leakor compromise of your system.
• Use email cybersecurity to block fake senders:Your email servers should block fake senders from reaching a recipient's inbox and use artificial intelligence to stop fake domains and known attack sites.
• Train employees to recognize malicious messages:Employee training is key to reducing the risk of human error. Simulated phishing attacks enable employees to identify phishing attacks and social engineering.
• Set up bill payment policies:To avoid paying fraudulent bills, use payment policies to validate bills and obtain authorization before sending money to a bank account.

To understand how your business might be vulnerable to a supply chain attack, you first need to do your due diligence and ainternal risk assessment. Following the SolarWinds supply chain attack, many more companies have recognized the importance of risk assessments to protect their internal environment from these third-party threats.

During a risk assessment, professionals not only identify risks but also help the organization design and manage risks. Risk mitigation requires the right cybersecurity controls and zero trust environment to properly stop threats. In many cases, the organization needs to redesign its authorization controls and user rights to reduce risk.