What is a Supply Chain Attack?

A supply chain attack involves leveraging a third party supplier to an organisation, business, or even an entire industry in order to facilitate the stealing of information from them. Rather than directly attacking the target organisation, malicious actors will instead attack a third party provider and use their access here to disseminate malware and access target networks further down the supply chain.

The implicit trust that organisations place in their suppliers provides a convenient way for attackers to plant malicious code into a target network, as anything that comes from a supplier would normally be trusted as legitimate.

Types of Supply Chain Attack

Supply chain attacks can take numerous forms, including the following as described by the National Cyber Security Centre (NCSC):

  • Third Party Software Providers – Organisations often purchase and use software from other businesses on their networks. Attackers may target the software provider, tampering with their legitimate code and planting malicious functionality into it at the source. The malicious code is then disseminated through normal software update services. Often, such malware take the form of Remote Access Trojans (RATs), providing access to the networks of every customer who downloads the malicious update.
  • Website Creators – It is common to outsource the creation of websites and apps to third party creators. Attackers who compromise these creators might make changes to the core code that the company uses to create every website. By planting malware in this core code, they ensure that the it is present on the websites of all of the creator’s customers.
  • Data Storage – Businesses often use external providers to store business critical information about themselves and their customers. Attackers who gain access to such providers could exfiltrate data from the numerous different organisations that make use of the service.
  • Watering Hole Attacks – Watering hole attacks target sites that are used by multiple people within an organisation or industry. After gaining access to the site, attackers use it to trick visitors into downloading and installing malware, giving them access to those organisations’ networks.

Real World Examples

Supply chain attacks aren’t simply a hypothetical scenario, they are real-world attacks that have generated a number of high-profile cases.

One of the most famous cyber attacks of the last decade, and a prime example of the third party software attack type described above, was that suffered by SolarWinds in 2020. Suspected state hackers compromised the an update of SolarWinds’ Orion software, including in it a malware strain known as SUBURST.

The attack was devastating, affecting around 18000 SolarWinds customers, including The US government, who were suspected to be the main target. As a result of the attack, the hackers gained a high level of access to the internal networks of government agencies and multinational companies alike. Fortunately for the majority of the 18000 customers who downloaded the update, they were selective in the networks they accessed. Their selection included big names, however, including Cisco, Microsoft and VMWare.

More recently, in September / October 2023, the Identity-as-a-Service platform Okta suffered a breach to their customer support ticketing system. An attacker gained access to the ticketing system and downloaded HAR files (records of web browser activity to aid in troubleshooting) that Okta’s customer’s had uploaded. These files contained valid session tokens to the customer’s Okta environments, which the attacker then gained access to.

Some of the affected customers were high-profile organisations. The Content Distribution Network provider Cloudflare was affected, as was the password manager 1Password. Security is integral to the reputations of these businesses, as it is a key part of their marketing material.

Examples such as these demonstrate the importance of ensuring that your supply chain is handled securely. Just because a mistake is made by an external organisation does not mean that the effects cannot be disastrous for your own.

Mitigating the Risks of Supply Chain Attacks

You can’t control what happens in your suppliers’ networks and you can’t change their development practices, but you can control how you approach your supply chain and how you detect and eliminate threats.

The NCSC provides guidance on how to approach minimising your risk from supply chain attacks. Some steps to take include the following:

  • Perform an assessment of the risks in your supply chain as it exists now. Understanding exactly what your supply chain consists of and how sensitive the data you expose to it will help you build an accurate risk profile.
  • Due diligence should be performed on new and existing suppliers. Asking questions such as who is responsible for cybersecurity at a third party, how they manage risk in their infrastructure and development processes, and what their incident response plans are, will help you to ascertain what risk their practices introduce to your business. The NCSC has a guide on what questions you should be asking of your suppliers.
  • Improve your own controls to aid in detecting attacks conducted from outside your organisation. Behaviour-based detection and prevention systems can alert you to suspicious activity on your network in the early stages of an attack, helping to minimise damage in the event of an incident.

If In Doubt, Seek External Help

If you’re struggling to manage the risk from supply chain attacks on your own, or you would like more information from experts in the industry, seeking help from a security company is always an option. GSA Global can provide a range of services to help you including:

  • Performing due diligence against new and existing suppliers to your business.
  • Consultation on assessing and managing you associated risk
  • Technical assurance on third party security controls and systems.

If you’d like to have a discussion about how we can help you mitigate your risk from supply chain attacks, don’t hesitate to get in touch.