Industries of all kinds make use of supply chain management software to automate their business processes. A supply-chain attack is an incident in which one or more people with malicious intent insert themselves into the flow of production, distribution, and/or system management. Supply Chain Attacks usually target manufacturers that create software or services for other companies who use those products while serving their end customers. This type of attack could occur all along the line: from manufacturing to packaging and finally shipping to retailers. Often they’re executed by hackers posing as suppliers providing legitimate services such as software updates or new equipment.
The goal is simple – compromise your business operations by delivering malware through these “legitimate” channels. As such, cyber-criminals and attackers take advantage of the weak elements in the supply chain software to attack the entire system. This has been the recent crime in cyberspace, and the risks attached are on the rise too.
What is a supply chain attack?
An attacker can exploit vulnerabilities in a third-party supplier like software vendors, hardware or service providers to attack a supply chain. This vulnerability acts as an entry point into the entire supply chain. Attackers, therefore, leverage to carefully (stealth) exploit this vulnerability to access sensitive information or carry out their objectives. This type of attack is called the supply chain attack.
The supply chain attack is sometimes regarded as a third-party attack. Third-parties like vendors, service providers, and suppliers all have access to sensitive information when connected to the upstream system. However, when the third-party security defence is compromised, cybercriminals find it easy to launch an attack on the whole system.
What is the purpose of a supply chain attack?
The purpose of a supply chain attack is to identify vulnerabilities that can be exploited to inject malicious code into legitimate apps to distribute malware.
The attack can be an injection of various types of malware into the client network through the infiltration of the software update as it makes it easy to carry out compromises at a scale. As a result of this, sensitive data exfiltration is initiated without the knowledge of the host. Consequently, this becomes an indirect attack on the organisation.
Why are supply chain attacks trending these days?
Statistics have revealed that the rate at which supply chain attacks are growing is alarming. Symantec’s 2019 report indicated that supply chain attacks increased by 78% in the year 2018. The latest examples include SolarWinds. However, this attack has been said to surge in 2021 due to an increase in threat actors.
In recent times, supply chain attacks are one of the most common attacks today. The major motive behind supply chain attacks is financial gain. The reason for the growth in this attack is the availability of open-source and insecure interfaces.
Nonetheless, there are three major reasons supply chain attacks are on a rampage. These are;
- Increase in the rate of cyber crimes
The digitalised system has given birth to all manner of crimes in the world. The rate at which we employ technology to carry out tasks is the same rate cyber crimes and perpetrators are growing.
- Software vulnerabilities
Another major reason for an increase in supply chain attacks is the vulnerability of the used software. Software development at all levels of a software supply chain system should employ strict cybersecurity. Any compromise, security breach or open-source network can lead to an attack on the supply chain.
- Low cost of attack
The supply chain attack is a subtle attack that costs an attacker little or no effort. The attacker only needs to leverage the vulnerability of any of the third-party in the supply chain.
Types of supply chain attacks
Supply chain attacks can be classified into different types depending on the channel used. They are discussed as follow;
Compromised infrastructure or website suppliers
This type of supply chain attack involves compromising a major upstream infrastructure. Such infrastructure can be any device or a service provider, or creative and digital agencies. This type of attack sometimes proves difficult to stop or detect. This is because it is carried out remotely over the internet. Given the multiple customers managed by such providers, the number of networks and the underlying sensitive data gained is the prize for attackers.
For example, a security hole through a misconfiguration can help an attacker infiltrate the organisation network and attack. Likewise, undocumented features in the supply chain can be used as it makes it easy to bypass the security controls.
Third party data stores
In recent years, cyberattacks on companies have gotten more and more common. Cybercriminals are targeting third-party brokers of various data services that store multiple clients’ information simultaneously.
Firms that have been recently involved in or are looking to be involved in a high profile merger or acquisition shortly should take special caution when they are operating on the internet.
Hardware supply chain attack
This type of supply chain attack is carried out through a hardware component or device that is not part of the initial design. The attacker inserts this hardware component into the design before it reaches the end-user. Sometimes, it can be done after the completion of the manufacturing process, depending on the expertise of the malware agent.
Hardware supply chain attacks intend to infect the device at the early stage of the system setup. The insertion might be in the keyboard or any of the hard disks used. On the other hand, the hardware form of attack can be the implantation of a device capable of spying on the internal system and reporting it to the attacker.
Software supply chain attacks / Third-party software provider
Third-party software is any software used to complement the existing software of an organisation. The software might be used as an add-on to enhance the performance of the main software. The third-party software can be a payment gateway, a software developer, or an API provider in a business organisation. When security command and control of any of these are compromised, it might lead to data breaches and give an attacker access to sensitive data.
A major example of this type of software supply chain attacks is the Solarwinds attack of 2020. The dynamic library file of the organisation was compromised. The hacker was able to gain access to the client base through a disguised digitally signed asset of the company software. Unfortunately, the unaware vendor distributed the malware to all client networks. When detected, the Solarwinds company declared that many of its clients were affected by the attack.
Microsoft breakdown of SolarWinds attack infection (image source: Microsoft)
Threat actors ensured that they stay low to not raise suspicions on outgoing traffic and used DGAs (Domain Generation Algorithms) to resolve subdomains of the C2 domain avsvmcloud.com. The domain structure consisted of static and variable parts as shown in this Microsoft analysis diagram below:
This example shows the lengths cybercriminals go to ensure their attack traffic looks similar to the legit network traffic. This makes it difficult and a major problem with the software supply chain attacks due to the ability to remain undetected until operation time. For instance, the Solarwinds attack was not detected until many clients have fallen victim to the attack. It was said that the attack was not remote as the malware remained dormant for more than two weeks before initiating the attack.
Watering hole attack
A watering hole attack is carried out from a legitimate website used for any of the processes in the supply chain. Alongside third-party attacks, it is the most common supply chain attack. The attacker, in this case, targets a major website where clients or any targeted victim regularly visits the chain. When there is a security compromise on such a website, the attacker leverages this to release malware or get access to sensitive data through the open-source.
On the other hand, hackers can infiltrate the company that manages the website to gain access to the website and attack targeted audiences. It is similar to phishing, as the victim might be unaware of the attack until the deed is done. The infection process might start from downloading malware or infecting the victim network.
You can read more in detail here about watering hole attack:
What is an example of a supply chain attack?
SolarWinds,2020 – The most talked about the attack from a backdoor injected into Orion IT management application’s update tool. Around 18,000 customers had downloaded this update including US govt departments such as The Department of Energy, The National Nuclear Security Administration, The US Department of State, The US Department of Commerce, The US Department of Treasury and The Department of Homeland Security.
Recently, many organisations have fallen victim to the supply chain attack.
- Dependency confusion, 2021, where a researcher breached systems using a novel attack technique, leveraging dependency confusion.
- Mimecast, 2021 – Attackers compromised the Mimecast certificate used to authenticate its Microsoft 365 exchange web services.
- Other examples are Operation Cloud Hopper in the year 2017, ShadowHammer (Asus computers) in 2018, Target in 2014 when attackers breached HVAC third-party vendor using phishing as an attack vector.
How are supply chain attacks executed?
After the Solarwinds attack, Microsoft corporations took it upon themselves to enlighten their clients on how supply chain attacks work. The following are the stages of supply chain attack execution;
- Target hunting
The first stage of a supply chain attack is when the attacker identifies a vulnerability in the supply chain. The vulnerability might be a loophole on third-party software or security compromise by either software supply chain or hardware infrastructure.
- Gaining foothold – Exploiting the software supply chain risk
After analysing and detecting security vulnerabilities or weaknesses, the attacker carefully selects the target to gain access remotely. This then helps threat actors to gain a foothold on the victim organisation that hosts the target software or service. Further steps include the preparation and insertion of malicious code into DLL components of legit software or other ways to inject malware. Also, the software development process or update might be hijacked and replaced with malicious software at software vendors or service provider network. The users ignorantly download such updates and then become vulnerable.
- Persistence with the help of backdoor/malware
After exploiting the initial targets to find a foothold within the organisation, attackers insert a backdoor to allow continued access, gather systems information and act as a stepping stone for futuristic work. Like in the Solarwinds case, the malware may remain dormant for several days as decided by the attacker. The reason for this might be an attempt to gather enough data for subsequent attacks.
Once the backdoor works successfully and tested with successful connections to the C2 servers, it starts performing local work. This task includes lateral movements, finding useful assets, credential attacks such as finding credentials, credential abuse (password-based attacks), privilege escalation attacks for further infiltration. A few more intricate tricks in this process include defence evasion that includes multiple checks to ensure the campaign stays stealth, initial C2 (Command and Control) communication and exfiltration of information to attackers. This will be fully clear if you read about how cyber kill chain works.
How to prevent supply chain attacks?
Even after the National Cyber Security Centre (NCSC) posits that few UK organisations have enough security standards to curtail supply chain attack risk. Few businesses still disregard the risk attached to this cyber attack. However, the prevalence of attacks, especially the Solarwinds attack, has made organisations sit up on the issue.
Despite the subtlety involved in this attack, it is still possible to prevent a supply chain attack. Under the guidance, principles of supply chain security are divided into four stages.
- Understanding the risks – what needs to be protected, who are the suppliers and their state of security and what are the security risks posed by your supply chain
- Communicate your expectations of security across your ecosystem, set minimum security requirements that are more than questionnaires.
- Raise security awareness and support your suppliers in security incidents, technical baselines, and building security into contractual processes.
- Build assurance process to manage suppliers, outsourced parties and supply chain security at scale.
- Encourage ongoing improvements and maintenance of trust with suppliers.
Ongoing validation of your processes and controls is a must. Without it, you won’t know your blind spots and where improvements are needed. Get in touch to discuss your security concerns – we do not endorse any products. You will receive a true third party opinion based on your environment, sector-specific context and guidelines.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.