The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
In a supply chain attack, hackers aim to breach a target's defenses by exploiting vulnerabilities in third-party companies. These attacks typically follow one of two paths. The first involves targeting a service provider or contractor, often a smaller entity with less robust security. The second path targets software developers, embedding malicious code into their products. This code, masquerading as a legitimate update, may later infiltrate the IT systems of customers.
This article delves into specific instances of supply chain attacks, explores the inherent risks, examines common strategies employed by attackers, as well as effective defense mechanisms, and offers supply chain risk management tips.
Understanding the scope and danger of supply chain cyberattacks
In their assaults on supply chains, attackers are driven by various objectives, which can range from espionage and extortion to other malicious intents. These attacks are merely one of many strategies hackers use to infiltrate a victim's infrastructure.
What makes supply chain attacks particularly dangerous is their unpredictability and extensive reach. Companies can find themselves compromised by mere misfortune. A case in point is the 2020 incident involving SolarWinds, a network management software firm. The company fell victim to a hack that resulted in extensive breaches across various government agencies and private corporations. Over 18,000 SolarWinds customers unknowingly installed malicious updates, which led to an undetected, widespread malware infiltration.
Why do companies fall victim to supply chain attacks?
Several factors contribute to the susceptibility of companies to supply chain attacks:
- Inadequate security measures
A staggering 84% of businesses have high-risk vulnerabilities within their networks. For companies involved in software production and distribution, a supply chain attack represents a significant breach of security protocols.
- Reliance on unsafe components
Many firms utilize components from third-party vendors and open-source software (OSS), seeking to cut costs and expedite product development. However, this practice can backfire by introducing severe vulnerabilities into a company's infrastructure. OSS platforms and repositories frequently contain security loopholes. Cybersecurity professionals have identified over 10,000 GitHub repositories susceptible to RepoJacking, a form of supply chain attack exploiting dependency hijacking. Furthermore, the layered nature of OSS, often integrating third-party components, creates a chain of transitive dependencies and potential security threats.
- Overconfidence in partners
Not many companies conduct thorough security evaluations of their service providers, typically relying on superficial questionnaires or legal compliance checks. These measures fall short of providing an accurate picture of a partner's cybersecurity maturity. In most cases, real audits are an afterthought triggered by a security incident that has already taken place.
Additional risk factors precipitating supply chain attacks encompass insecure development processes, compromised product development and delivery tool chains, software deployment mishaps, and the risks inherent in utilizing various devices and equipment.
What techniques do hackers use?
The prevalent forms of supply chain attacks include:
Software attacks: Hackers target the vendor's software source code. They can covertly disrupt systems by embedding malicious components into a trusted application or hijacking the update server. These breaches are notoriously hard to identify since the perpetrators frequently use stolen, yet valid, certificates to sign the code.
Hardware attacks: Perpetrators target physical devices within the supply chain, like keyboards or webcams, often exploiting backdoors for unauthorized access.
Firmware attacks: Cybercriminals implant malicious software into a computer's startup code. These attacks are executed the moment the device is powered on, jeopardizing the whole system. Without specific protective measures, these quick, stealthy breaches will likely remain unnoticed.
Initiating a supply chain attack often involves using spyware to steal employee credentials and social engineering tactics, including phishing, typo-squatting, and fake apps. Additionally, hackers may employ SQL injection, exploit system misconfigurations, hunt for sensitive data using OSINT, launch brute-force attacks, or even engage in physical break-ins.
In attacks via open-source components, hackers may use the following tactics:
• Dependency mismatch - Hackers forge internal package names and publish malware to the open-source registry at an abnormally high version level. When an admin or build system accesses an artifact without specifying a specific version, the package manager defaults to loading the latest (infected) version.
• Malicious code injection - attackers gain access to popular libraries by compromising (or on behalf of) a developer. Companies implementing malicious OSS become victims of attacks and distributors of infected software.
• Typo-squatting - hackers release malicious components under misspelled versions of well-known library names. Developers often inundated with numerous daily routines and pressed for time, may unknowingly use these deceptive alternatives.
How to protect your company from supply chain attacks?
To fortify your defenses against supply chain attacks, consider the following strategies:
- Implement a comprehensive suite of best practices designed to safeguard every phase of your software's update and patch management.
- Deploy automated tools for ongoing network monitoring, identifying and responding to unusual activity promptly.
- Implement a Zero Trust model, assuming that any device or user could potentially be compromised. This approach requires robust identity verification for anyone trying to access resources in your network.
- Regularly assess the security protocols of your suppliers and partners. Do not rely on surface-level evaluations; use in-depth tools to thoroughly audit their security processes.
- Divide your network into segments so critical data and services are separated.
- In anticipation of potential cyberattacks that could result in data loss or encryption, establish a robust data backup system.
- Prepare for worst-case scenarios and create a detailed incident response plan to mitigate and recover from supply chain attacks.
- Use threat intelligence to understand potential attack vectors and identify any breaches in third-party systems. Collaborate with other businesses and industry groups for threat intelligence sharing.
- If you develop software, ensure secure coding practices are in place. Utilize Software Composition Analysis (SCA) tools to track and analyze the components you are using in your software for vulnerabilities.
Supply chain attacks stand as some of the most pressing and dangerous threats today. These incidents can trigger substantial disruptions in business operations, impede collaborations with vital partners, incur huge financial costs, damage reputation, and potentially lead to legal consequences due to non-compliance. It is impossible to completely protect against a supply chain attack, but adopting fundamental information security practices can help diminish risks and identify breaches early on. It is important to use a holistic approach to protection: combine different tools and methods, thus covering as many vulnerabilities as possible.