Supply chains are at the front of everyone’s minds right now. From fuel and food to toys at Christmas – the general public are starting to understand just how finely balanced the global supply chain truly is.
Events like microchip shortages in Taiwan and the Ever Given blocking the Suez canal show how interconnected modern economies are, and how dependent our huge populations are on effective supply chains. It also proves how vulnerable we are when kinks or weaknesses on these chains are exposed.
The same is true in cybersecurity. Organisations rarely exist as islands, and most will have dependencies on third party vendors. That means it’s not enough to only think about your own perimeter – you need to evaluate your whole security chain, and where weak links might be.
How do supply chain attacks work?
Supply chains have always been targets during times of war – and this age-old strategy is used by cybercriminals too. Both criminal gangs and nation-state actors target supply chains as a way create disruption or profit (or both). Supply chains can be affected by cybercrime in two ways.
Firstly, there are attacks which aim to disrupt or lock critical links in the supply chain due to their importance. For example, the Colonial Pipeline ransomware attack that created power shortages down the East Coast of the U.S. – hackers knew there would be major pressure to get their ransom paid and normal services resumed.
There are also attacks that use supply chains to spread. Hackers use phishing to take advantage of the often implicit trust between businesses and their suppliers. By compromising one supplier via a single hack or phishing email, attackers can use them as a jumping off point to spread malware or credential-farming links far and wide.
These tactics are not mutually exclusive and can be used in combination. In 2017, the NotPetya attack started out targeting critical Ukrainian infrastructure, but quickly spread to other countries too. It ended up causing more than $10 billion in damage, and disrupting the operations of global logistics companies such as Maersk, FedEx and Merck.
High-profile supply chain attacks
The most famous supply chain attack to date was probably the SolarWinds hack. Russian hackers compromised SolarWinds and planted malicious code into Orion, its IT management tool. This gave them access to around 18,000 networks using the Orion application – including NASA, the US State Department, and the US Department of Defense.
As many as 250 organisations were affected by the SolarWinds attack, with the hack taking advantage of multiple supply chain layers. Bitsight, a security rating firm, estimate that the attack could cost cyber insurance firms up to $90m. The SolarWinds hack is possible the biggest supply chain attack to date, but it’s certainly not unique. Many serious attacks have taken place in 2021 alone.
Kaseya was also recently hit by a supply chain attack that sought to spread ransomware through its network of customers. Attackers found a vulnerability in Kaseya’s VSA software and used it to push a malicious payload of REvil ransomware to around 50 of their customers. However, many of these businesses provide downstream IT services themselves, so in total it was up to 1,500 businesses affected.
It’s a prime example of how the impacts of supply chain compromise can multiply quickly.
Where are your weak links?
A rise in supply chain attacks means we’re all only as secure as the weakest link in our supply chain. These chains can be long – as they don’t include just your vendors, but your vendor’s vendors. And so on.
Essentially, you might have a vastly bigger attack surface than you previously thought.
Cybercriminals are looking for that weak link in your defences, and it may well be one of your vendors. If an organisation has strong cybersecurity, an indirect attack makes sense. Supply chain attacks can also offer incredible ROI for attackers, as a single hack can result in the compromise of multiple businesses.
It’s a worrying prospect. In the past, cybersecurity awareness focussed on being wary of unknown sources. But what if the threat is coming from compromised third-party software or hardware within your own network?
How organisations can stay safe
Supply chain attacks are not easy to cut out – just look at the high-profile organisations caught out in the SolarWinds hack. However, one vital part of the solution will be paying closer attention to which vendors you do and don’t trust.
Ken Thompson, one of the creators of the UNIX operating system, said in 1984: “You can’t trust code that you did not totally create yourself.” But is that really possible in the modern world? Perhaps not, but it is possible to carry out detailed and accurate assessments of vendors – and that includes the actions they take to secure their own third parties.
Organisations can’t afford to only think about their own security – they need to consider risks within their supply chains too. This is a double-edged sword for vendors. On one hand, it makes falling for a hack even more damaging, as businesses will be reluctant to work with those who appear vulnerable. But for those with strong cybersecurity, it can used as a competitive advantage.
Some businesses have become too comfortable with cheap and fast software and need to start closely assessing vendors’ levels of security. The precedent is being set by the White House, with a new cybersecurity executive order issued earlier this month. It sets new minimum security standards for any company that wants to sell software to federal agencies.
There’s no quick technological fix to supply chain attacks, but you can at least secure yourself from a common entry point: email phishing.
Defending against email phishing
Many supply chain attacks start with phishing. Phishing exploits the human tendency to trust an email from a (seemingly) trusted source. Many people drop their guard when communicating with people they ‘know’, hence why third-party vendors are such good impersonations targets for phishing groups.
It’s human nature to trust people we know, which is why a helping hand from technology is needed. Egress Defend take a zero-trust approach to every email, using machine learning and natural language processing to detect signs of even the most sophisticated supply chain compromise phishing attacks.