Supply chain cyberattacks are on the rise, and the increasingly connected global economy is making it easier than ever for malicious actors to carry out these attacks, which exploit the trust businesses and their partners have for one another.
According to cybersecurity firm CrowdStrike’s 2021 Global Security Attitude Survey, 45% of respondents suffered a supply chain attack within the last 12 months. This was up from 32% of respondents in 2018, suggesting that this type of sophisticated cyberattack is dramatically increasing in popularity amongst hackers.
Similarly, Sonatype’s 2021 State of the Software Supply Chain report found that software supply chain attacks had a 650% year-over-year increase from 2020 to 2021. This followed a 430% increase from 2019 to 2020. These increases highlight the fact that supply chain attacks are very likely to remain an ongoing threat to businesses of all sizes in all industries for the foreseeable future.
In light of this data, it’s critical that businesses understand how supply chain attacks occur and implement cybersecurity defenses and incident response plans that account for these sorts of attack vectors.
A supply chain attack is a specific type of cyberattack that impacts both a third-party vendor and a customer. These attacks have historically targeted organizations in trusted partnerships, such as when cybercriminals targeted Target’s HVAC contractor as the first step in the 2013 Target breach. After attackers circumvented the HVAC contractor’s poor security, they were able to gain access to Target’s systems on a shared network.
Today, though, the supply chain threat comes in the form of attacks against the software supply chain, which includes all the cloud-based software and services a business relies on for its operations. In attacks such as these, attackers manage to insert malicious code into one of the many third-party components developers frequently use in their applications, such as APIs or open source code. This could then lead to the application becoming unintentionally malicious or having a back door, which would allow attackers to target anyone who installs the compromised app.
The term “supply chain attack” refers to the method of attack rather than the attack’s overall impact. It features at least two attacks – one on a vendor and the other on a client.
The proliferation of services, vendors and third-parties has done wonders for company efficiency and budgets. The growth of software-as-a-service (SaaS) offerings and the widespread adoption of cloud hosting have allowed employees to work efficiently from anywhere, while the growth of worldwide supply chains has allowed businesses to source materials and support functions at competitive prices from a global supply. Companies can even outsource their IT and security management to managed service providers (MSPs) to save overhead costs and cut headcount.
While these third-party services save companies time and money, they can lead to cybersecurity risks. Cybercriminals looking to maximize the scope of their attacks have increasingly targeted third-party vendors with the hopes of using them as a stepping stone to target thousands of downstream clients in supply chain attacks, according to NTT Security Holdings’ 2022 Global Threat Intelligence Report. These types of supply chain attacks are likely to grow in popularity, according to the report, as cybercriminals copy and learn from each other.
A successful supply chain attack can have numerous repercussions for both the vendor and any targeted customers. However, the ultimate damage of a supply chain attack depends upon the goal of the attacker. In the case of the 2013 Target breach, attackers used the HVAC company as a stepping-stone to breach Target and steal the financial and personal information of upwards of 100 million Target customers. [Has your business been attacked? Learn how to mitigate the damage of a small business data breach.]
While the Target attack was a pure case of data theft impacting a single end company, attackers can also use supply chain attacks for other purposes, such as distributing ransomware. In July 2021, attackers compromised servers belonging to Kaseya, a supplier of software services and tools to MSPs. By compromising Kaseya, the attackers were then able to compromise the MSPs, ultimately using the MSPs to deliver ransomware to the end clients. Altogether, this attack compromised an estimated 1,500 MSP clients.
Both of the above attacks are examples of attackers taking advantage of a trusted relationship between a vendor and a client. According to CrowdStrike, though, the larger threat to businesses comes in the form of software supply chain attacks. These attacks are particularly concerning, as the average software project has 203 dependencies on outside code. This means that if one popular application or vendor uses one malicious software dependency, it could lead to that application’s being compromised. This, in turn, could make every business relying on that application or vendor vulnerable to a data breach.
As popular third-party software packages may be used in a wide range of applications, a successful compromise of a package could result in attackers being able to compromise a large swath of businesses through their software tools.
Software supply chain attacks are likely to become a greater concern in the coming years. According to CrowdStrike’s 2021 Global Security Attitude Survey, 84% of surveyed respondents believed that these types of supply chain attacks could become one of the most serious cyber threats to businesses within three years. This risk is further compounded, as 59% of the businesses surveyed that suffered a supply chain attack did not have a response strategy in place at the time of the attack.
While supply chain attacks are concerning, it is important for businesses to remember that the ultimate impact of a supply chain attack is the same as if cybercriminals targeted a business directly. The difference is the manner in which cybercriminals target a business in the first place.
In CrowdStrike’s Global Security Attitude Survey, 45% of respondents said they’d suffered a supply chain attack within the last 12 months – up from 32% of respondents in 2018.
While businesses cannot directly control the security of their vendors, there are a number of steps they can take to help avoid falling victim to a supply chain attack. We’ve put together the following primer to explain exactly what supply chain attacks are and how businesses can defend against them.
Supply chain attacks can be difficult to prevent as well as to detect, as they exploit the trust businesses place in their suppliers. Fortunately, there are still steps that businesses can take to either prevent a supply chain attack or mitigate the impact of one. [Related article: How to Improve Your Small Business’s Cybersecurity in an Hour]
Supply chain attacks are likely to be an increasingly common fact of life for businesses in the future. NTT Security Holdings predicts that the success of high-profile supply chain attacks over the past two years, including the SolarWinds attack that impacted an estimated 18,000 clients, will likely inspire other copycat incidents. The threat of software supply chain attacks will also continue to grow. The best way to protect yourself against the growing threat of supply chain attacks is to prepare today by devising cybersecurity procedures and establishing incident response plans that enable you to act quickly if a supply chain attack were to impact your business.