What is Supply Chain Attack? How to Prevent Supply Chain Attacks
In This Article
SIM Swap Protection
The globalization of businesses has become more accessible and profitable thanks to e-commerce, but there is, naturally, a dark side. Supply chain attacks have become increasingly familiar with the help of modern technology, which organizations can now use to intercept supply chains and launch comprehensive attacks that can incur heavy losses to a business.
Of course, many methods can help prevent such attacks while protecting your system. Still, one of the most significant issues is that these attacks can often go undetected for months, even with all the necessary security measures.
A Supply chain attack example that concerned most software distributors was that of the CCleaner. Hackers have intercepted the popular cleaning tool for over a month and attached malware to the software updates. The attack exposed millions of computers worldwide because of the attack, and organizations lost many trusted customers.
And these attacks became increasingly common as time passed, so let’s get some insight into Supply chain attacks.
Software Supply Chain Attack Definition and Examples
What Is A Supply Chain Attack?
A software Supply chain attack occurs when an attacker gains access to a network through suppliers or third-party vendors and compromises the supply chain. Supply chain attacks are also often known as third-party attacks or backdoor attacks.
The primary reason supply chain attacks are so tricky to intercept is that supply chains are usually very complex. Software supply chains are complicated to keep track of because of the sheer number of suppliers and vendors making up the chain. And because supply chains are so complex, it is straightforward to attack them.
Many protective measures are in place now because it is becoming increasingly concerning. Still, the vendors and software suppliers must show a certain degree of commitment to protecting the supply chain. If either one of the parties is not contributing to securing the supply chain, they would be putting the entire business at risk.
It is, therefore, essential for software suppliers and vendors to know who you are working with. Any amount of carelessness in terms of trust or security could be a cause of heavy losses. The suppliers, vendors, and even the customers at the end of the chain are exposed to malware, scams, and other malicious activity that could prevent them from trusting the organization again.
Most organizations that undergo Supply chain attacks and expose their clientele to them have a tough time recovering from the losses. This recovery does not just pertain to financial losses but also to losing their customers' trust.
Therefore, intercepting a Supply chain attack and making sure that they curb the extent of any such breaches is one of the top priorities of software vendors around the world.
Supply Chain Attack Examples
There are thousands of examples of supply chain attacks within organizations. They are a huge deal mainly because they spread to the customers and clients of organizations and cause heavy repercussions for them. Despite this, these attacks are very sneaky and can often go undetected for months, even in giant, trustworthy organizations.
One of the most popular supply chain attacks has been the SolarWinds Supply Chain Attack. It was a huge deal since it affected around 18,000 clients and even breached companies like Microsoft.
According to Insider, the attack began when foreign nationals could hack into the system of SolarWinds, a Texas-based tech firm in the USA, and added maliciously coded scripts into the system. Since this infiltration went undetected, the malicious activity spread to thousands of clients of the system as time passed.
As the security breach was of such a high level, the organization realized that it needed to implement greater security. Of course, they would also have to check the entire system for any more security threats. This solution would be costly for the company and would deal them a massive blow financially. Not to mention they had lost the trust of thousands of customers at once.
Experts later determined that the attack was initiated by Russian Nationals and was probably considered an attack on the National security of the USA.
Another famous example of a supply chain attack is the Panama Papers in 2016. In this attack, the law firm from Panama, Mossack Fonseca, leaked around 2.5 terabytes of sensitive data regarding the tax evasion tactics of individuals worldwide.
These papers contained information on highly influential people, including politicians and even well-reputed companies.
This attack was a worldwide phenomenon and was talked about constantly for months on end and is one of the most famous supply chain attacks to date.
Dependency Confusion Attack
A highly concerning yet harmless supply chain attack example is Dependency Confusion earlier in 2021. A researcher named Alex Birsan took advantage of application dependencies to send counterfeit data packets to users. The exciting part is that he attacked users from the customer base of Apple, Tesla, Uber, and Microsoft.
The attack was more concerning than anything else because of how easily the researcher took advantage of the situation. However, no severe damage was reported as a result of the attack.
The Mimecast attack of 2021 was a massive blow to Mimecast. Hackers gained access to the system by compromising a codesigned certificate. The certificate is used to authenticate Mimecast on Microsoft Web Services.
The data of around 10% of Mimecast’s entire customer base was compromised due to the attack.
Automotive Companies Data Breach
Another interesting supply chain attack due to negligence was the attack on leading automotive companies. These include Volkswagen, Audi, and Mercedes-Benz.
Certain vendors helping all three companies accidentally revealed sensitive data online, on a public cloud. Attackers quickly gained the information and tried to use it against the companies.
SIM Swap Protection
Get our SAFE plan for guaranteed SIM swap protection.
Risk Factors for Supply Chain Attacks
While comprehensive, planned cyber-attacks on supply chains also exist, there is no doubt that vulnerabilities in the chain or the system are some of the biggest causes of cyber-attacks. Even a simple mistake by an employee or an inability to afford the best means of security could cause a Supply chain attack. To understand how to protect the system and prevent an attack, you must know the vulnerabilities in the system.
Here are some significant risk factors which lead to Supply chain attacks in the long run:
Insider threats are widespread and can lead to significant property theft and Supply chain attacks. While many insider threats can come from malicious intentions, many are accidents and even sheer ignorance on some issues.
One of the reasons why the Zero-Trust security model is gaining so much popularity is that insider threats are often unaccounted for in traditional security systems.
An ignorant employee could accidentally send an email with sensitive information to their account or personal contact. While this could be a harmless scenario, hackers can intercept and use the data to attack the supply chain in many other cases.
Of course, malicious employees also exist. Sometimes people who have been fired or have ill intentions for the company could leak vital information to attackers. These employees are sometimes offered financial compensation or something similar for their hand in the matter.
Insider threats are risks to a system and not a direct cause since no attack may come because of them. But their presence within the system does increase the chances significantly.
One of the most compelling cases of an ignorant insider threat was at Microsoft. In late 2019, employees at Microsoft found around 250 million records of Microsoft customers exposed on the internet. Anyone surfing the web could easily access their personal information, including emails, locations, and IP addresses.
There was no malicious intention behind this, and it was the work of negligent employees who did not secure the databases as much as they should have. Microsoft was able to secure the information within 24 hours of being notified, but it is unknown how long the information was openly accessible.
And reportedly, no supply chain attacks occurred as a result, but anything could have happened if the records had stayed accessible for longer.
Compromised Software or Hardware
Hardware manufacturers can often be malicious or have insider threats within their systems who compromise hardware before sending it over to organizations. The same goes for software, which could come with malware attached or perform the malicious activity within the system.
Hardware and software compromise can occur at any point within the process. It could be present at the beginning of the manufacturing process or become apparent later within the system.
In either case, they could become entry points for Supply chain attacks and cause the business to suffer immensely. These entry points are why manufacturers must secure their processes and ensure ample security measures are in place throughout their systems.
Shortcomings in Security
Another primary reason why Supply chain attacks may become a possibility for businesses and their supply chains is that the system has severe shortcomings. These shortcomings could occur because the company needs to afford more security for its supply chain or is unaware of how to deal with security threats. Sometimes, even a moment of negligence in security could be enough for hackers to find an entry point in the system and be a part of it.
These security vulnerabilities also arise from unauthorized access to the system. This unauthorized access could occur because a hacker gained the credentials of a user who has access to the system or because the user unknowingly released this information.
For this reason, security practices such as multifactor authentication are essential to grant access to the system. Even micro-segmentation and least privilege access are reliable methods of security to prevent insiders from leaking information this way.
Inability to Follow Legal Guidelines
In terms of business, there are often minimum legal guidelines that organizations need to follow. An inability to follow these guidelines can cause the company to incur losses, and they may face legal repercussions simultaneously for not doing so.
The administration and developers are just some entities responsible for this non-compliance. Employees not following directions can open the company to supply chain attacks.
One of the most significant weaknesses of software supply chains is the number of tiers involved in the process. The software must go through all of the tiers in sequence before it finally reaches the consumer. The biggest issue with so many tiers is that the software can get exposed to a threat anytime. Only some third-party vendors involved will be as vigilant about security as the parent organization, which could pose a considerable risk. Therefore, it is crucial to adapt the best third party management practices to avoid this issue.
Supply Chain Attack Types
Supply chain attacks are straightforward since organizations can execute them in a few ways. The most common supply chain attack types include undermining codesigning and compromised hardware and software.
Here is a deeper insight into many of these attacks:
Stolen Certificates, Apps, and Identities Through Codesigning
Most organizations use certificates that confirm their product as legitimate and secure. This certificate helps their customer trust them and use their software with ease. Lately, attackers have been able to gain access to these certificates. They use the certificate's legitimacy to spread malware and other malicious activity throughout the supply chain.
Stuxnet is one of the most renowned attacks because of a stolen certificate. It occurred when security forces sponsored by their states stole valid codesigned certificates and keys. The intention was to hijack Iran’s nuclear program with malware known as Stuxnet.
After infecting a system, Stuxnet would install a driver into computers. It only worked on Windows Operating Systems, though. Stuxnet even used a stolen certificate for these drivers.
Another supply chain attack example is that of ShadowHammer. ASUS, a famous manufacturer from Taiwan, had their supply chain compromised when hackers gained access to codesigning keys from their servers.
The attack affected individuals with a particular ASUS notebook, where the live update automatically installed malware into the system. This attack was very long and drawn out since it took place over six months and affected over a million customers of the famous company.
While the hardware might not always contain malicious code or malware, every device needs firmware to run on a system. And this firmware can easily be compromised by attackers. Hackers can write malicious code and inject it into the firmware, which means they can quickly gain access to the system. This tactic is a classic example of a backdoor attack since the malicious code creates a backdoor that allows attackers to steal information.
Sometimes, hackers add malware to hardware such as phones, cameras, and other devices. When the device is connected to a system, the attackers can often gain access to the system with the device.
One example occurred in Eastern Europe, where ATM attacks occurred quickly. After investigation, researchers discovered that many ATMs were affected by malware than captured PIN codes and even magnetic stripe data from the users' cards. These attacks were exposed by security researchers of EAST (European Association for Secure Transactions)
The malware used in this attack was a dropper file with the name isadmin.exe, which contained malicious code. EAST tried to update the systems of all ATMs to clear them and prevent this from happening again.
Compromised Software and Software Tools
Software these days is built with the help of software-building tools. It is challenging to build complete software from scratch lately, especially one that offers the convenience and security of modern-day software. So, these tools, including APIs, open-source code, and other such components, are used to build software.
Since it is getting easier and easier to build comprehensive software lately, there is no doubt that even the risks of vulnerabilities in software are getting more significant with time. So, hackers can easily compromise software components in some way. If a compromised tool is used to build software, naturally, it can cause a supply chain attack.
An example of a dangerous software-based attack happened in 2020. A Chinese phone company, Transsion, released thousands of devices containing pre-installed malware. It signed users up for subscription services without their permission.
The malware could not be removed by the users either. It was known as Triada and installed software known as a helper in the phones, which committed malicious activity. Thousands of users were affected.
Malicious Activity With Open-Source Code
Another example of supply chain attacks includes open-source code. When building software and applications, the developers have access to libraries with open-source codes. These developers often add this code to their projects. These libraries sometimes contain malicious code that the developers unsuspectingly use.
An example is that of Python libraries consisting of sub-libraries named 'Django.’ While these libraries contained malicious code, they also consisted of functioning code. It affected many developers and their projects back in 2018.
Repercussions of Supply Chain Attacks
Supply chain attacks can be silent killers of organizations. There is no single outcome of these attacks, but they greatly vary. The consequences of these attacks depend on who the attacker is and what their intentions are. Some of these attacks only intend to make some easy illegal money by hacking the supply chain of an organization, while some of them have gone as far as to threaten national security.
A data breach is one of the most common motives for supply chain attacks. Data of customers and employees alike are leaked on the internet and can be used by anyone who comes across it. Any vulnerability in the supply chain is exploited with the help of data tools, which can intercept any information that passes through the pipeline. Any information the tool can pick up on is sent to the attacker, who can do whatever they want with that information.
Other than that, some attackers target supply chains with the sole intention of adding malware. Since malware is varied and has many outcomes, from being able to spy on a user's activities to replicating the code on all the user's online activity, we need to pin down what happens when malware is part of a supply chain.
Lastly, many attackers want a business to lose money. They might gain that money in the process of the attack, or they might gain nothing as well. But money is a big motivation for supply chain attacks, mainly because of e-commerce. Attackers can gain access to card vendors, retail outlets, and other sensitive information online that they can use in their favor. Many institutions cannot fully recover from the financial losses resulting from a successful supply chain attack. The effect is more devastating depending on how long the attack has persisted. Since supply chain attacks are also difficult to notice, they can damage the organization before someone picks up on them.
Many supply chain attacks directly attack users. For example, the malware in thousands of phones from Transsion reached thousands of customers who were confused and concerned by the abnormal activity on their devices. This situation caused thousands of customers to lose faith in the organization and possibly go up to people they knew and ask them not to invest in the phones because of their personal experience.
Of course, this would cause the organization to lose thousands of customers at once, which could cause them massive financial losses.
One example of financial losses through a comprehensive supply chain attack includes the data breach on Target, USA, in 2014. Personal information of over 70 million customers was leaked, including 40 million credit and debit cards. The attackers gained access to the system through phishing tactics with the unintentional help of an HVAC vendor.
And then building up this trust again once it has been breached is very difficult. Many companies have likely gone out of business as well due to comprehensive supply chain attacks, which left them in financial turmoil and an inability to draw customers again.
An interesting example of a supply chain attack is that of Lockheed Martin. This attack had no severe repercussions, leaving many confused about what had occurred.
The attack occurred in 2011 when military contractors in the USA had their systems infiltrated with the help of multifactor authentication codes. Amongst these contractors was Lockheed Martin, one of the most proliferative military contractors in the USA. Some of the equipment they boasted of included the PAC-3 missile and the F-35 Lightning Aircraft.
The fact that attackers could infiltrate the system showed gaping vulnerabilities in the entire infrastructure. In more malicious hands, this could have severely breached the national security of the USA as well, which would be awful for many people.
Therefore, we can see that the risks of supply chain attacks are massive and cannot always be predicted. This unpredictability is why securing your supply chain and protecting it from such attempts is essential.
SIM Swap Protection
Get our SAFE plan for guaranteed SIM swap protection.
How to Prevent A Supply Chain Attack
The sad news is that no matter how many supply chain attack prevention tactics and security techniques you apply, there will always be a slight chance that a hacker can gain access to your system and launch a proper supply chain attack.
The good news, however, is that most hackers will not go that far. The more security tactics you have, the harder it will be for an attacker to intercept your system. And most attackers are looking for a low-risk, high-reward situation. So, they will naturally scope the internet for any systems that do not have very tight security and bother them instead.
So yes, it is highly possible to prevent a supply chain attack. These steps are how you can do it:
One of the most comprehensive concepts of security includes Zero-Trust security architecture. It functions based on an assumed breach, meaning the system does not trust individuals inside or outside it.
The security model calls for aggressive verification of all users within the system at regular intervals. Verification is necessary every time a user wants access to a different part of the system or if they are performing any activity that is different from their usual activity.
While it may seem like a rigid model, it is essential to remember that zero trust is just a concept. Zero trust allows organizations to implement security measures that offer aggressive security and immediately detect suspicious activity.
Zero-trust is the most trustworthy security model for securing supply chains, which are very vulnerable at present.
Restrict Lateral Movement
When attackers gain access to the system through any end, their first action plan is to move laterally through the system. This movement suggests that the attackers want access to everything the system stores, including sensitive information.
So, first, lateral movement should not be allowed within a system, especially without permission. Only with actual permission from an authoritative figure will any individual be able to move laterally through the system. If they cannot do that, even if they want to compromise a system, only a tiny part of it will be breached.
This technique is beneficial when the attacker gains access to the credentials of one of the system's users. Since gaining access to the user's end is the easiest, it is the interface most hackers use to get inside the system. When lateral movement is impossible, they will not be able to do so.
Encrypt Internal Data
Organizations should use advanced and comprehensive encryption techniques to encrypt the data within the system. It will prevent the attacker from accessing any helpful information.
While many attackers can also decrypt the data within a system, this will be challenging if the organization uses a sophisticated encryption tool such as the Advanced Encryption Standards Algorithm or AES. The government of the United States uses this tool to protect all internal data.
Assume Data Breach
Zero-Trust security architecture is one of the most effective practices of security in the world today. It functions on the principle of not trusting any entity, whether within the system or outside of it. One of the main principles of Zero Trust Security is Assumed Breach.
As the name suggests, Assumed Data Breach refers to assuming that there is already an infiltrator within your premises and that the system can be compromised at any moment. There is no taking the threat out of the system. Still, enough security measures are put in place so that even an entity that already has access to the system cannot cause data breaches or compromise the system in any way.
So, anyone with credentials to the system does not automatically have access to the entire system. They only have access to a specific part of it. So even if an attacker gains unauthorized access to the system, they will be unable to cause any harm to the supply chain.
Implement Multifactor Authentication
For the longest time, having the username and password to a system meant anyone could access it. However, that is no longer the case.
Because of the millions of data breaches that occurred over the years because unauthorized persons gained access to user credentials, a multifactor authentication system was introduced. Through Multifactor authentication, users need to have access to at least one more device along with the username and password of the individual.
So when a person logs into an account, they need to verify their identity through SMS or email, and only then will they be able to enter the system.
While Multifactor authentication is imperfect, its implementation has many benefits. It dramatically reduces data breaches because of unauthorized password access and adds a layer of verification to the whole process.
While it is still essential to protect your password and change it regularly, it is no longer the sole key to all your information online. And naturally, it helps to protect the supply chain from being compromised.
Honeytokens are decoys within the system. They are an exciting tactic for supply chain attack prevention and are essentially fake resources and data packets that are presented as necessary, sensitive information. They are used to entice the hacker to try to breach the system, and when such activity occurs, the organization gets an alert of suspicious activity inside the system.
Honeytokens are now quite comprehensive and reveal the system detailed information about suspicious activity. This information can even include the identity and location of the hacker if they have not used firewalls.
This supply chain prevention method allows organizations to gather essential data regarding the techniques used for data breaches. They can then deploy effective solutions to prevent supply chain attacks within the system further.
Tighten security around any entry points
Some weaknesses within the system are apparent, and honeytokens and the organization's security team can reveal others. It is essential to tighten the security around these system parts since they can become the most likely entry points. Increased visibility and vigilance are required to monitor these system parts, and the viewer should report any suspicious activity immediately.
Implementing a Zero-Trust security architecture is integral for protecting weak points in the system since it always allows for monitoring of suspicious activity within the system, which the system can detect automatically.
Implement Using Only Registered Devices
Implementing remote work worldwide has allowed people to access their systems with different personal devices, from laptops to phones and tablets. Since we have confirmed how hardware breaches can cause massive supply chain attacks, it is essential for an organization only to let its users access the system with the help of registered devices.
So if any of these devices is used to launch a supply chain attack, it will be much easier to identify than an unregistered shadow device.
The IT department of an organization should enforce strict rules regarding the devices that can be used to access the system and should prevent users from connecting unauthorized devices to their system.
Implement Least Privilege Access
Least Privilege access is another component of zero-trust security. It refers to each user within the system only having access to the part of the system they need to work on. Users' movement from one part of the system to another is only possible with aggressive verification and authorization by the system.
This way, the organization can limit who has access to the most sensitive parts of the system. Only highly privileged accounts can access sensitive information in the system. Because the data is a high priority and could cause supply chain attacks, only a few accounts should have access to this part of the system.
Securing Third-Party Access
All organizations need to ensure that all the third parties involved in the process have ample measures of security in place. It is necessary to do a thorough background check on all vendors before sensitive data is handed over to them.
How to Detect A Supply Chain Attack
Aggressive system monitoring, which includes identifying system threats and other vulnerabilities, is the best way to determine a supply chain attack. All supply chain attack types can be caught and taken care of if the threat is detected.
Remember that you should implement these steps to check for an attack at regular intervals whether you suspect an attack or not. Since attackers can hide supply chain attacks so effectively, it is essential to keep checking the system for liabilities.
Update Your Inventory With All Assets
Map out all the traffic pathways within the system. Understand the regular patterns of work, where each update ends up, how effective your firewall is, and what assets your organization currently holds and protects.
Once you have a properly optimized inventory, it will be easier to determine suspicious activity, which becomes the basis for a supply chain attack.
Utilize Threat Actor Profiles for All Assets
A threat actor refers to the kind of threat that each vital asset within your system will likely be affected by. The types of threats can include insider threats, ransomware, a script kiddy, nation-state, and activists.
While insider threats and ransomware can be threats to most profitable organizations, nation-states and activism-related supply chain attacks are very specific to certain organizations. It is vital to recognize which attack can occur on each asset and emulate those conditions to mitigate any risks.
Assign a Risk Score
The developers should all come together and determine a risk score for the system and its assets. The score will be determined by what the organization is doing to protect the asset, its vulnerability, and its likely threat. The score will then tell how vulnerable the assets in the system are.
The risk score is also not absolute. The score will go up or down depending on what has been done to protect the asset or if there is a looming threat to the asset at present.
Software updates within the system need to undergo a testing phase, where they can determine how effective the update is and whether it poses any threats to the system or the supply chain before they can be rolled out.
Check for Malware
Use the relevant tools to determine if any part of the system has been compromised through malware. Identifying hidden malware is the most critical phase, as it will help determine if there is a threat of an attack within the system.
While these methods may seem too rigorous to specific individuals, it is essential to remember that attackers are now finding newer and newer ways to get through traditional security. Only when security personnel is more rigorous and thorough with their job will they be able to prevent such attacks on the system.
How to Respond to A Supply Chain Attack
If an organization can determine a supply chain attack on its system, it should deploy its incident-response strategies. The quicker the organization can detect the attack, the faster it can get rid of it.
It is important to remember that supply chain attacks usually occur over time. Hence, companies have a large margin to stop the attack or prevent it from getting worse than it is.
If financial losses have occurred or the attack has managed to reach the organization's customer base, it is essential to pay attention to those. Try to get the authorities involved and recover as much as you can financially. Offer breached customers compensation for their troubles and allowed them to replace their devices or software for free.
However, if you have not faced any significant repercussions from the attack, it is crucial to stop it and figure out the chinks in your security infrastructure. Then, determine the scenarios that might have caused the security breach or the possible repercussions that could have occurred and then put forth appropriate security measures.
While security breaches can occur even in organizations with tight security, the occurrence of an attack usually signifies that there are problems within the security architecture of the system.
A supply chain attack can be one of the most devastating occurrences for a highly reputable organization. It can cause heavy financial losses and even loss of trusted customers. The main problem with all supply chain attacks is how difficult they are to detect and how much vigilance they need. However, with proper security measures in place, it is likely possible to mitigate these attacks more effectively.