A supply-chain attack is a cyber-attack that leverages alternative vectors of intrusion, in particular entities or systems in the targets’ supply chain.
Instead of attempting to breach directly large companies and government agencies, advanced threat actors are increasingly shifting their focus towards contractors and system dependencies. These are ideal targets since their networks or product lines are often complex and involve many different actors and dependencies, increasing the probability of finding a weakness a hacker can exploit. These supply-chain elements can be a piece of software, hardware or a combination thereof.
Software, hardware and services that act as an interface between businesses and their customers - typically Platforms-as-a-Service or Softwares-as-a-Service (SaaS) - or that provide cloud infrastructures - such as Amazon Web Services and Microsoft Azure - are especially powerful attack vectors for hackers, as they can reach a wide range of targets: In such case, vulnerabilities in these solutions represent a single point of failure that can affect thousands or millions of customers at once.
Recent examples of supply chain attacks
The SolarWinds and Microsoft Exchange hacks, two of the most prominent supply-chain attacks in recent years, affected network management systems and on-premises email servers often used by large companies. As such, these systems form part of their supply chains. Among the SolarWinds victims were many Fortune 500 companies and the most sensitive institutions within the US government, including the National Security Agency, the White House and all branches of the US armed forces. Overall, SolarWinds comprised more than 17,000 customers.
Another example is the hacking of schematics of unreleased Apple products. Instead of targeting Apple servers directly, hackers went after one of its subcontractors, Quanta, which manufactures MacBooks and other products on its behalf.
How to protect an organisation against supply-chain attacks?
Organisations need to recognize that as their cyber supply chain ecosystem expands and diversifies, they also need to take additional steps to mitigate the elevated cyber risks that come with it. This includes increasing the organisation’s situational awareness. This can be done by maintaining a complete inventory of the software, hardware, and information assets within their network and those managed by their partners and vendors.
As an organisation, protecting against supply-chain attacks is challenging, mainly because the organisation does not have direct control over the systems. For instance, there is nothing customers of Microsoft Exchange could have done to prevent their data from being stolen until Microsoft had issued its security patch.
What is possible though is to dilute the potential impact of such attacks by diversifying one’s suppliers. This is not always possible nor desirable (having several email providers may be a nightmare for the IT department) but means that instead of relying on one cloud service - for instance - the organisation structures its operations around two or three providers. That way, if one is compromised, it is more likely that some data and systems will not be exposed.