Supply Chain Attacks and How They Work
What is a supply chain attack and how it works?
There’s no doubt that 2020 taught us all about the spreading of biological viruses. We can’t help but notice the elephant in the room – no matter what precautions we take, we can’t control everything.
Earthquakes, tsunamis, storms and floods have always been a natural threat to supply chains around the world. Most recently, the outbreak of the COVID-19 pandemic has caused outages in supply chain operations for many organizations and institutions worldwide.
Moreover, it has pushed companies to change the way employees work and communicate, transferring most activities to the online space. This has opened the doors to cyber-criminals and made companies highly vulnerable to supply chain attacks.
A supply chain attack is a type of cyber-attack aiming to damage the organization by manipulating vulnerabilities or completely destroying the weakest links in their supply network. To impact target organizations, attackers go after information systems, critical suppliers, facilities or utilities, aiming to disrupt their ability to operate.
Another approach starts with an Advanced Persistent Threat (APT) used to spot the most vulnerable assets on the network that will later become the weakest link and play a key role in the attack. By tampering with the product's output, APT's can gain access to confidential information.
Anyone can become this weak link - an internal employee who is neglecting security measures when conducting business activities, a third-party vendor or a service provider with weak cyber protection within their organization, or even the CEO of the company, who may be using their personal smartphone to make business calls, answer work emails and share their plans and locations via social media.
According to an investigation created by Verizon Enterprise, 92% of the cybersecurity incidents examined in their survey occurred among small companies.
"Modern world consists of complex supply chain interactions. The issue is that the convenience of being connected makes it easy for the suppliers to access the supplied".
Supply chain attacks: who is at risk?
“Supply chains, especially those related to infrastructure, have the potential to be highly vulnerable to hacking and malware attacks and, depending on the attacker's motivation, they are susceptible to large-scale theft and business disruption,” said Ken Goldstein. Vice President and Cyber Security Manager at Chubb Corp, Hartford, CT.
Sophisticated, powerful and highly damaging, supply chain attacks are usually aimed towards the most critical and resourceful sectors through their smaller, less well-protected parts.
Financial institutions like banks, hedge funds, investment companies, oil & gas industry, energy companies, governmental sector, and import & export industry are often affected by such threats due to the complexity of their operations. The sensitivity of data and finances handled and the multi-component structure of their operations result in many possible vulnerabilities and attack vectors.
One would think that the bigger the company, the more attractive it is to hackers. But wouldn’t a big company also be well protected? Well, mostly likely it will have taken care of its security a lot better than the smaller companies that make up the supply chain. And this is exactly where the threat lies.
Without realizing it, the small products and ancillary suppliers become a route from their less defended home computers and personal phones to their employers, and make their way into some of the biggest and most critical organizations across the globe.
Vendor ecosystem turns into a poisoned well?
It didn’t take long for the cyber-criminals to understand that the easiest way route into any company’s system or network is though the vendor ecosystem. It’s hard for a large organization to keep track of the security aspects of every product, supplier and service provider who contribute to the running of the business, giving attackers a means to slip in unnoticed.
Third party software providers
The most famous attacks of this kind were carried out by the Dragonfly hacker group, who were targeting energy companies across Europe and North America via vulnerabilities in their supply chain. The sites of industrial control system providers were compromised and manipulated to replace legitimate files in their repositories to infected ones, which were subsequently sent around their client’s systems.
Cloud services & data stores - vulnerabilities
The biggest mistake to make is to rely completely on large data aggregators to be safe by default. There is no doubt that cloud service providers that extra care of their security, however, we already know no one is immune. Similarly, the widely used Shared Responsibility Model separates the service provider’s security responsibilities from those of the platform user. The provider secures the underlying hosting platform, but the platform user is responsible for securing the applications they create on it.
If you use third party companies to aggregate, store, process and utilize your company and customer data, don’t forget your competitors are doing the same. This means your competitors may be using the same providers, infrastructure and even datacenters. You may be closer to them than you think!
The type of data stored in these clouds doesn’t necessarily have to be about your customers, it may also include your business structure, plans, financial insights, strategic documents and expose you to risks of falling victim to corporate espionage.
Now think about planning a merger or an acquisition. How long will it take for someone who is “watching” you do business to understand what’s going on and get their hands on your most confidential information.
In 2013 a number of large data aggregators and storage companies were reported as being compromised by a minor botnet, which was travelling around the systems of a datacenter and its encrypted channels extracting data.
You might think that stealing your client’s business data won’t be useful, but there are multiple factors to take into consideration about the nature and mindset of the attackers. Is it only financial data criminals are after? Didn’t the modern age teach us that our consumer behavior and business habits are of a bigger interest nowadays?
Exactly. Most of the time it’s not just about stealing personal financial information but also knowing who you are and how you think and behave - that's what makes hackers crave breaking into large data storage platforms. This enables cyber-criminals to orchestrate fraud on a larger scale and target individuals more effectively.
Website design & development providers
Let’s drill down even further and switch into complete online mode to learn about yet another vulnerable link in any business’s supply chain.
“The more the better” is definitely a motto of many virtual attackers out there. They built their malware with the purpose of reaching the widest audience possible. Once the most strategic asset of a targeted organization is identified it then takes just a small effort to compromise it and cause a high number of infections.
The company website is one such asset that draws attention. This might not be obvious, especially if you think your company’s website exists only for reputational purposes. But ultimately, your website is the home of your company - where people come to meet you instead of your physical office and learn about your products and services. Compromising the company website allows an attacker to hide behind your hard-earned reputation and take advantage of the visitors to it.
One of the best examples of this is the Shylock banking trojan, which in 2014 targeted UK, Italy and the USA e-banking.
In the Shylock attack hackers got to legitimate websites through website builder platforms used by outsourced agencies. They launched a harmful redirect script to send users to a malicious domain owned by the hacker group. Once the victim entered the malicious website, malware was downloaded and installed on the user's devices and systems.
With so many links involved, the process was customized to perfection and helped the attackers to avoid detection and being analyzed by security systems.
Frequently visited & critical websites: watering hole attacks
If you work for a big company or a governmental agency, you might think that something like a website builder vulnerability doesn’t pose threat to you, since your website is built and managed in-house with good security measures in place to make sure visitors to it couldn’t be affected. Well, you are wrong.
Defence, government and healthcare sectors become victims of so-called “watering hole attacks” the most often.
First, the attacker identifies a website with high traffic (most visitors) and then the real work and research begins. Hackers work 24/7 to find the smallest weakness of the website to gain access to the code, using it to deliver malware tailored to the users of the site
Examples of the most outrageous supply chain attacks.
Q4 2013 >>> PROFIT: -46%
One of the most famous supply chain attacks that shook the world hit Target’s POS (Point of Sale) systems and resulted in credit and debit card information of over 40M customers being exposed, making them vulnerable to financial fraud. To add insult to the injury, Target lost about a half of its profit in a blink of an eye.
Meet Suceful, Plotus, Tyupkin and GreenDispense
The nightmare of all ATM users and makers. As simple as that, these viruses made it possible to come up to ATM machines and freely take out the cash. The machines display an “out of service” message and after the offender empties it, hackers are able to remove the malware from the systems and erase any traces of the event.
The malware could only be installed by someone who has keys to the ATM machines, like a technician, so this process requires an insider. However, this type of attack directly affects insurance companies, ATM manufacturers and even the companies providing the software, such as Microsoft. The losses come to much more than just the cash withdrawn.
British Airways cyberattack. 2018.
In the summer of 2018, a harmful code was injected into the payment section of British Airways website, which allowed the attackers to harvest customer payment data. The script skimmed the card details from the transaction and sent them to the attacker’s website to be stored and used for fraudulent purchases.
Out of the frying pan and into the fire. 2020 - Solarwinds supply chain attack.
SolarWinds - a software provider, who helps businesses manage their networks - turned out to be the weakest link in the supply chain of the United States federal government operations.
An attack targeted on their IT infrastructure caused a major data breach affecting numerous federal institutions, including National Nuclear Security Administration. The response was immediate and radical - all the affected computers were disconnected and had to be rebuilt using clean installers.
The issue has since been taken care of, however the aftertaste will last for much longer - over 18K of SolarWinds’ customers were affected. Even Microsoft wasn’t able to get away from it with no losses and is now working on strengthening its supply chain defense across global entities.
Where do you fit in the supply chain?
In one way or another we are all a link in the global supply chain. Sometimes we are being supplied, and in other cases we are the suppliers. Establishing this model made all of us prone to becoming a target for cyber-criminals and sometimes even governments looking to get to some links of our chains via our smartphones.
“Every person, at any point of time, and in any place can become a starting point in an attacked planned on our employers or their customers”
As an effect of global pandemic, the gig economy is on the rise with many of us continuing work operations remotely and performing more activities via smartphones. We use online channels to communicate with colleagues and clients, as well as deliver the results of our work. Thus, almost any touchpoint can be targeted through mobile connections or application vulnerabilities.
Supply chain protection should be directed upstream from our own supply chain. Being aware of existing and potential threats is the first step to take, followed shortly by adopting the most robust security technology practices. Needless to say, protecting our smartphones from end-to-end is crucial to not becoming an active node in any kind of supply chain attack.
5 ways to protect your enterprise from supply chain attacks
- Audit and understand your network of suppliers
- Understand the risks coming from third-party vendors
- Make the supply chain a part of your support and remediation plan
- Educate yourself and employees on supply chain risk
- Use secure communication tools and channels (phones, messengers, VPNs, etc.)
Want to know the easiest and fastest way to protect yourself from becoming the weakest link in your supply chain? No matter what part of it you are - an ounce of prevention is worth a pound of cure. Ask us how to keep your business activities and communications safe and private and we'll be more than happy to tell.