Disruptions in Supply Chain Have Many Causes

Since the pandemic turned the world upside down in 2020 and 2021, we’ve all become familiar with supply chain issues. It’s the catch-all term meant to explain and excuse all manner of merchandise shortages and substitutions. Growers can’t seem to get certain produce to market, and manufacturers are offering poor replacements for many key products we rely on. And depending on what particular service you are seeking, you may wait months to get it if you can find it at all.

But these aren’t the only supply chain issues we’ve been experiencing. Hackers and other cybercriminals have found new opportunities in supply chains and are leveraging those opportunities for fun and profit.

What is a Supply Chain Attack?

Investopedia defines supply chain as a network between a company and its suppliers to produce and distribute a specific product to the final buyer. The network includes different activities, people, entities, information, and resources.

By common definition, a supply chain attack occurs when a hacker or other bad actor exploits a member of your supply chain (i.e., a vendor or supplier) who has your authorization to access your network, systems, and data. After hacking into your supplier’s network, the hacker is then able to infiltrate your digital infrastructure and exfiltrate your data. And you are not the only victim—in a supply chain attack all customers downstream from the hacked supplier can be victims as well.

Unfortunately, as a result of extensive collaboration and outsourcing by businesses large and small, more and more suppliers have legitimate access to their clients’ networks, systems, and data. In this hyper-connected environment, cybersecurity all around is crucial. And yet, while you may trust your own company’s cybersecurity, what degree of confidence do you have in your various suppliers’ security programs? Do you know what their cybersecurity looks like? Have they implemented one of the universally accepted, comprehensive cybersecurity frameworks from NIST, PCI, or ISO, for example?

Hackers working for malicious nation-states have robust resources available to them, and the skills to exploit network vulnerabilities. Countless examples of cyberattacks originating in Russia and China continue to prove this point, as we’ll see shortly.

Typical Supply Chain Attacks

The common factor among recent supply chain attacks is technology—including hardware, firmware, and software. Tech firms who manufacture or develop these technology elements for sale to other companies serve as suppliers to those buyers. They are members of each buyer’s supply chain.

These technology firms are hot targets for supply chain attacks. That’s because malicious infiltration of one development or manufacturing company—the supplier—can have a disastrous ripple effect throughout the buyer ecosystem.

For example, let’s say that a software development company is hacked and malicious code implanted in one of its commercial software products. As end-user companies purchase or lease the software, install it, and begin to use it, that malicious code goes to work as directed. Every company who uses the tainted software is a potential victim of the hackers who implanted the malware for their own gain.

Software building tools, software upgrades, specialized code in hardware and firmware, even smart devices such as phones, USBs, and medical equipment can all be compromised in this manner. The more popular a device or software app is, and the greater the number of customers using it, the greater the damage that can be inflicted through a supply chain attack.

Real Examples of Supply Chain Attacks

In recent years, several notable supply chain attacks have made headlines in the U.S. and around the world.

• In 2017, a supply chain attack attributed to Russia-sponsored hackers used malware to compromise accounting software used generally in Europe. The attack resulted in some $10 billion in operational disruptions and other damages to Maersk, FedEx, Merck, and other multinational corporations.
• In 2018, an attack on ASUS, a supplier of notebooks, netbooks, motherboards, graphics cards and similar tech products, exploited an automatic software update to install malware. As the software was installed by customers downstream, hundreds of thousands of ASUS customers were affected globally.
• In 2020, a high-profile attack on SolarWinds affected as many as 250 customers globally. SolarWinds supplies software to manage business networks, systems, and IT infrastructures. State-sponsored Russian hackers injected malicious code into SolarWinds’ Orion software updates being shipped to SolarWinds customers. Among the customers affected was FireEye, who supplies cybersecurity hardware, software, and services to businesses. When FireEye suffered a network breach and software theft weeks later, it was traced back upstream to the attack on SolarWinds.
• Also in 2020, Russian hackers exploited a vulnerability in VMware Access and Identity Manager software to gain access to sensitive data. VMware is a supplier of cloud computing and virtualization software and services to businesses and government agencies around the world. The exploit allowed the hackers to digitally impersonate authorized users on VMware customers’ networks and to access their data.
• Mimecast supplies cloud-based email security, archiving, and continuity services for Microsoft Exchange and 365. In 2021, Mimecast confirmed that their network had been breached by the same hackers behind the SolarWinds attack. The breach enabled the hackers to compromise a Mimecast security certificate that authenticates its services on Microsoft 365 Exchange Web Services, used by approximately 10% of Mimecast customers.

And in an interesting experiment in 2021, a white-hat security researcher was able to hack into several marquee companies by exploiting the dependencies that many software apps use in delivering services to end-users. Test data packets were successfully transmitted to Microsoft and Apple, as well as Telsa and Uber. And, while no harm was done, the research proved that even global tech firms can suffer supply chain attacks. Imagine the chaos that might have occurred downstream, among Apple and Microsoft customers for example, if the data packets had carried malicious code.

Summary

These supply chain attacks demonstrate that any supplier is vulnerable to infiltration and compromise. Technology firms in particular are attractive targets because malicious infiltration into a single software development or computer manufacturing company can have a disastrous impact throughout their entire customer ecosystem.

On the plus side, supply chain attacks are relatively infrequent compared to ransomware attacks and phishing exploits, for example. On the downside, companies who buy or lease from technology vendors must trust those suppliers to maintain effective cybersecurity, since it is virtually impossible to confirm on their own. As these few examples prove, even buying or leasing from a marquee technology brand is no guarantee of supply chain security.

The best an organization can do in such an environment is to ensure that your own cybersecurity is comprehensive and current. A security risk assessment is a great way to start.