What Is a Supply Chain Attack?
A supply chain attack is when an organisation, or multiple organisations, is attacked through a third-party vendor.
A third-party vendor, such as software that handles payroll or business-specific equipment, is hacked and then the hackers use that application as a tunnel into all the organisations that the software serves. These kinds of attacks are dangerous and lucrative because they can hit multiple organizations through a single attack.
Supply chains have become more frequent in recent years as organisations digitise, work becomes remote, and manufacturing and other industries utilise the internet of things (IoT) for global business. The supply chain was involved in 61% of incidents in 2021, and the average organisation has dozens if not hundreds of connections to vendors.
While financial gain continues to be the biggest motivator for threat actors, nation-state actors have conducted supply chain attacks to wreak havoc against another country or state.
How Does a Supply Chain Attack Work?
A supply chain attack has two parts. The first part is where a bad actor gains access to an organisation that serves as a third-party vendor to other organisations. Once a hacker has access, they will deploy an attack on the connected organisations. This can come through a variety of ways — past attacks include using phishing techniques, software updates that contain malicious code, and credential theft.
This allows a hacker to attack multiple organisations at once, causing widespread damage with just one piece of malware or ransomware. Supply chain attacks are possible not only because organisations are connected to vendors, but because they often lack visibility into those vendors, grant them too much access, and allow frequent communication.
Commonly, supply chain attacks will occur where one organisation is hacked, that organisation is connected to MSPs, and the hackers will use those MSPs as a bridge to deploy attacks on other organisations.
Why Are Supply Chain Attacks Increasing?
As mentioned above, supply chain attacks are a newer, and more frequent, attack vector for cybercriminals. According to the Ponemon Institute, 49% of organisations experienced a third-party attack in 2022, up from 44% in 2021.
There are a few reasons for this.
- Organisations are more interconnected than ever. No longer is a manufacturing plant on-premises only, operating within the walls of a warehouse. More and more aspects are digitised and online, and manufacturing (for example) is now global, not local.
- Organisations lack visibility into their third-party vendors. It’s no secret that the internal IT team are overwhelmed and there’s a staffing shortage. That plays into the lack of visibility, and subsequent control organisations have with third-party vendors. They aren’t sure who has access, what they have access to, and how they are using that access. 50% of organisations don’t monitor access, even for sensitive and confidential data, and only 36% of respondents document the level of access for both internal and external users, according to the Ponemon Institute.
- Cloud-based applications are increasing. Organisations are relying more on the cloud, with 99% of organisations having at least one cloud-based application, but cloud security is struggling to keep pace with adoption. Add to that a lack of cloud security skills in organisations, and it opens businesses up to major third-party risks.
- Organisations are putting too much trust in their vendors. 60% of organisations rely on the third party’s business reputation alone. That is too many not implementing the right access and security management to protect the worst-case scenario from happening. In addition, this trust works in hackers’ favor because a user is much more likely to open a phishing email if it comes from a “trusted” vendor or install a software update without questions.
Examples of Supply Chain Attacks
SolarWinds are not only a popular vendor for organisations to manage their IT systems, they were at the center of a major supply chain attack at the end of 2020. It’s believed the attack was perpetrated by Russian actors.
The attack started when hackers injected malware into the company’s software system, which is utilised by thousands of clients, including the Department of Homeland Security and the Treasury Department. The hackers then sent out a false “software update notification” to customers. If the customers updated their software, the code was automatically added to their applications — creating a backdoor to customer’s IT systems.
The hackers were then able to insert more malware and spyware. Thankfully, not many customers updated their software before the breach was uncovered, preventing what would’ve been a massive malware attack.
Kaseya, a provider of IT and security management solutions for managed service providers (MSPs) and small to medium-sized businesses, was the subject of a ransomware-focused supply chain attack back in 2021 that affected over 40 customers. Through a vulnerability in the Kaseya Virtual System Administrator (VSA) toolset, Russian hacker group REvil, was able to access the network infrastructure of customers (many outsource their management to Kaseya) and insert ransomware. The total requested? $70 million.
How to Prevent a Supply Chain Attack
There are two paths an organisation can take when building defenses against a supply-chain attack. One path is to focus on the vendor, and the other is to focus internally.
- Require suppliers to maintain certain cybersecurity standards through your service agreements.
- Validate the suppliers’ security posture through audits, metrics, and other tools.
- Employ identity and access management solutions to limit vendors access to internal systems.
- Implement policies that require scanning and monitoring your vendors’ devices once they’re connected to your network.
- Use a threat detection and response solution to monitor your environment for anomalies.
How Arctic Wolf Helps Protect Against Supply-Chain Attacks
Arctic Wolf takes a holistic approach to security, which helps organisations manage potential vendor vulnerabilities while also monitoring and detecting any threats that may arise from vendors or vendor connection points.
Managed Detection and Response (MDR): Stopping a threat before it becomes a full-blown breach is critical to security for organisations. As supply-chain breaches increase, being able to detect them at the first sign of trouble (as well as monitor vendor activity within the network) can be the difference between a close call and a ransomware attack. MDR offers 24×7 monitoring, threat hunting, and the Concierge Security Team (CST) to make sure your organisation is fully protected and ready to fight off any threats.
Managed Risk: A connection to a vendor can be a vulnerability and can introduce risk to the environment. Managed Risk works with organisations to address vulnerabilities and make sure every aspect of the security environment is safe and the security journey is moving forward. If a vendor is breached, implementing action items and strategies from the CST and Managed Risk will put the organisation in the best position to stop a breach.
Managed Security Awareness: Once a cybercriminal gains access to a vendor, social engineering becomes a major attack vector for connected organisations. By implementing regular, engaging cybersecurity training for users, organisations can ensure that their employees are prepared as the first lines of defense. It only takes one opened phishing email to disrupt an entire organisation.