Supply Chain Attacks: Everything You Need To Know

Lukas Grigas
Cybersecurity Content Writer
supply chain attacks

The weak link in your corporate security might depend on your partners and suppliers more than you would like. We’re talking about supply chain attacks, which focus on suppliers and partners to affect a specific organization in the supply chain.

Often overlooked and hard to detect, supply chain attacks can be disastrous, putting many companies out of business at the same time.

Just last year, supply chain attacks have grown in frequency by a whopping 300%, according to a recent Aquasec report. The European Union Agency of Cybersecurity (ENISA) notes that 66% of emerging supply chain attacks focus on a software supplier’s code to compromise its customers. The numbers are alarming, and it’s about time organizations start looking at the security of their entire supply chain.

Let us tell you more about such attacks and provide you with a few professional tips to mitigate these deceitful risks and improve your supply chain security.

What is a supply chain attack?

A supply chain attack is also known as a third-party or a value-chain attack. Supply chain attackers focus on infiltrating your network systems through a third-party partner or supplier that has access to your network.

The worst thing about supply chain attacks is that you don’t have any idea where such an attack could come from. Cybercriminals are looking for any vulnerability in cybersecurity that would help them get into your systems and applications.

Now consider that most of today’s businesses rely on third-party software and a variety of partners to carry out daily operations. That’s why there’s so much talk about these types of attacks.

Because of their deceptive and unpredictable nature, supply chain attacks can render traditional corporate security efforts useless.

Think of it this way. Your company may be the creme-de-la-creme example of cybersecurity practices. You may take network security seriously, your passwords may be complex, unique, and stored in an encrypted vault, and your employees may attend regular security training sessions. But all of that goes down the drain if your partners have a lax attitude towards security.

How do supply chain attacks work?

The whole idea behind supply chain attacks is to take advantage of the relationships and the mutual trust between partner organizations. Most companies these days rely on their partners for everyday operations. Just think about all the different apps that modern businesses use.

Let’s get a bit more technical. For a supply chain attack to succeed, the attackers have to discover a weak link in the so-called supply chain. These might be the organization’s partners or trusted vendors.

The next step is exploiting the poor security measures of a vendor or a partnering organization. Once the attackers find a way to compromise the network or its components — it's go-time.

At this point, bad actors can get creative. They might inject a piece of malicious software into the compromised vendor’s networks and systems to have backdoor access. They could manipulate the code to grant themselves certain permissions and later use them for further attacks focused on the vendor’s customers.

Real-life examples of supply chain attack

MIMECAST

Back in 2021, Mimecast, a company responsible for cloud-based email management for Microsoft Exchange and Microsoft Office 365, experienced a severe security breach. Hackers were able to gain access to a security certificate used to authenticate Mimecast's services on Microsoft 365 Exchange Web Services. This affected about 10% of Mimecast's customers who used apps that relied on the compromised certificate.

ASUS

In 2018, a group of cybercriminals used an automatic update to attack ASUS and introduce malware into its users' systems. According to the researchers from Symantec, the supply chain attack ran from June to October and affected up to 500,000 systems.

SOLARWINDS

In 2020, SolarWinds, a provider of software used for network, system, and information technology management, suffered a supply chain attack that was considered the most extensive to date. The attack was initiated through a backdoor known as SUNBURST, which was inserted into the Orion IT management app's update tool. Based on SolarWinds' SEC filings, about 18,000 customers involuntarily downloaded the backdoor.

Types of supply chain attacks

Supply chain attacks come in different forms, yet all are designed to exploit security vulnerabilities in solutions that organizations trust and use.

Software supply chain attack

A software supply chain attack focuses on compromising an application or other type of software at its base level — the source code. It then injects malware across the entire supply chain.

Hardware supply chain attack

A hardware supply chain attack relies on compromising actual physical devices such as USB drives, phones, tablets, and even keyboards. This type of supply chain attack intends to infect a gadget at an early stage of its development and then use it as a gateway into wider network systems.

Firmware Supply Chain Attack

Digital hardware is essentially controlled by firmware which ensures its smooth operation. A firmware supply chain takes advantage of that by injecting malware boot code, which makes this type of attack quite hard to detect. If the malware infection is successful, it starts doing its dirty job as soon as the computer boots up.

Recent supply chain attacks

Here is a short overview of some of the largest supply chain attacks in recent years.

SolarWinds

Back in 2020, a team of hackers was able to access the SolarWinds’ systems and inject a backdoor called SUNBURST into their Orion IT update tool. The attack affected more than 18,000 SolarWinds customers.

ASUS Live Utility

This supply chain attack targeted the ASUS Live Utility, a piece of software that comes pre-installed on ASUS devices. This software facilitates automatic updates for the computer’s drivers, BIOS, UEFI, and other components. The attackers were successful, affecting more than 57,000 users.

Codecov

During the Codecov supply chain attack, hackers modified the company’s Bash uploader script. The company was using this script to send internal code coverage reports. The modification helped the attackers collect sensitive data such as source codes from Codecov’s clientele.

How to protect your business from a supply chain attack

To mitigate the risks of supply chain attacks, businesses can leverage a variety of techniques and tools. The idea is to improve their general cybersecurity stance and ensure the security of endpoints against system penetration. Here are some practices that apply to most organizations looking to up their security game and become proficient at supply chain risk management.

Deploy automated threat monitoring

As cybercriminals are relying more on AI and automation, businesses need advanced tools to level the playing field. Automated threat monitoring solutions offer just that – a smart way to handle threats by harnessing the power of machine learning and AI

Develop contingency plans for third party providers

There’s a saying: “Failing to plan is planning to fail.” Developing a contingency plan can save you time and money in case any of your third-party suppliers suffer from attacks that could affect your organization. With a well-laid-out contingency plan, you will be ready to respond immediately.

Use a business password manager

A corporate password management solution eases the pains of keeping track of all your corporate passwords. It also facilitates efficiency among your employees, thanks to features such as autosave and autofill.

With a password manager like NordPass Business, you can also control user access privileges and monitor the company’s password strength from a single place — the Admin Panel. Moreover, business password managers tend to improve their users’ password habits, which is a big plus for any organization.

Implement access controls for third-party vendors

Being in control of who gets to access your systems is one of the best ways to mitigate supply chain attacks. Audit vendors with such access and make sure that the granted privileges are in line with your company’s overall security approach.

Ensure that vendors provide a full description of their cybersecurity measures

Having an in-depth understanding of your partner’s security measures can greatly help you improve your company’s overall security infrastructure. When partnering up or implementing new software for company-wide use, learn about the other party’s security practices.

Create security policies and organize regular cybersecurity training for your employees

Having a team that is well aware of the potential threats greatly reduces the risks of suffering a supply chain attack. Give your employees an in-depth training session, where you introduce the focal principles of the company’s security approach. Consider making the sessions regular for your team to stay on top of their game.

Bottom line

Mitigating supply chain attacks can be a challenge due to their unpredictability and deceptive nature. However, any organization looking to succeed in the digital economy should focus on corporate security. Start by knowing your systems end-to-end. Then cap that off with a comprehensive understanding of who you are partnering with and what security risks you may take on.

Subscribe to NordPass news

Get the latest news and tips from NordPass straight to your inbox.