Supply Chain Attacks Are On The Rise

Uploaded on 2018-12-13 in NEWS-Cybersecurity News, FREE TO VIEW

Modern companies work with subcontractors and third-party providers in so many ways: from employing third-party experts for solving particular problems to using third-party providers’ teams to monitor corporate security and infrastructure health 24/7. While this partnership proves to be quite beneficial to all parties, there are certain cybersecurity risks to consider.

In particular, more and more hackers are looking for a way to compromise supply chain networks and cause severe damage to large companies and organizations without attacking them directly. These indirect yet devastating attacks are called supply chain attacks.

What’s the danger of supply chain attacks?
So what is a supply chain attack? Basically, it’s a type of attack where hackers don’t target their initial goal directly. Instead, they focus on finding and compromising the most vulnerable elements in their victim’s supply chain network: subcontractors and third-party providers an intended victim works with. There are several ways of compromising a supply chain: from sending phishing emails in order to steal a supplier’s identity to injecting malicious code into a third-party software.

Software supply chain attacks pose the most danger since they are much harder to detect. These attacks target not third-party provider accounts or corporate networks, but third-party software used by a victim. Such an attack can be performed by exploiting existent vulnerabilities in this software or by modifying this software with malicious code insertion.

The main focus of the attackers goes to these three categories of targets:

  • Website builders
  • Third-party software providers
  • Third-party data storages

For instance, hackers may target a software vendor and try to modify one of its products and inject their malicious code into it. As the compromised software spreads among the clients of this provider, so does the malware. As a result, hackers get a chance to cause damage to numerous companies and organizations by compromising just one supplier.

However, cyber supply chain attacks aren’t limited to compromising third-party software solutions. Attackers may also try to hack a supplier’s system and steal their credentials to get access to the main target’s network.

The supply chain silent threat hides in the difficulty of making sure that all of your third parties take their cybersecurity seriously and responsibly enough. Especially, considering the fact that supply chain attacks are currently on the rise.

The rising threat of supply chain attacks

The practice of using suppliers and subcontractors to indirectly hit a larger target becomes more and more common. According to a recent report by Vanson Bourne and CrowdStrike, two-thirds of surveyed companies suffered from a software supply chain attack in the past year. And the average cost of such attacks is estimated to be as high as $1.1 million.

However, what’s even more concerning is that 71 percent of respondents admitted not holding their subcontractors to the same security standards they use. At the same time, the vast majority of the surveyed experts and decision makers — nearly 80 percent — believes software supply chain attacks to be dangerous enough to make it to the top of the biggest cyber threats in the near future. 

Here are some of the most recent software supply chain attacks examples:

CCleaner — Hackers managed to compromise a legitimate application and use it to perform a backdoor attack, infecting over 2 million CCleaner customers worldwide. It’s noteworthy that hackers specifically targeted 18 large companies, including Sony, Intel, Asus, and VMWare. They modified one of the application functions to make it decode and load the malware.
M.E.Doc — Hackers compromised the update server used by the tax-accounting application M.E.Doc. Being used for spreading NotPetya ransomware, the supply chain attack affected operations of banks and companies worldwide, literally paralyzing entire networks. Such companies as FedEx and Maersk report losing around $300 million each as a result of the attack.
PyPi — Hackers targeted the popular programming language — Python — by compromising PyPi servers and replacing original libraries with altered packages that included a check-in beacon.
Kingslayer — Hackers created a backdoor by targeting administrator accounts and replacing the legitimate application with its malware-containing version. As the result of this attack, at least one US defense contractor was compromised. Although, the exact number of infected companies remains unknown.
Transmission — Hackers compromised legitimate servers used for distributing the popular BitTorrent client. They injected a client’s installer with macOS ransomware. 

In each of these cases, attackers picked a trusted, legitimate product or service and exploited it to harm a larger target.

In addition to that, there are numerous examples of large companies suffering from not taking third-party access management seriously enough:

Amazon — In 2017, hackers attacked several third-party vendors working with Amazon and used their credentials for posting fake deals on the platform.
Target — One of Target’s third-party vendors was hacked via phishing. Using the stolen credentials of that vendor, hackers get access to the Target’s billing network.

All these examples lead us to the main question: is it possible to mitigate the risks of supply chain attacks?
How to protect your company against supply chain attacks

The lack of control over third parties is one of the main reasons supply chain attacks are even possible. Therefore, you can significantly improve the level of your company’s cybersecurity by adapting your standard security procedures to include all of your vendors, suppliers, and third-party providers.

Here are some of the best practices for managing supply chain risks:

Vet your subcontractors — Don’t grant third parties access to your network until vetting their current security practices. Request and examine their cybersecurity policy and make sure they follow the same security and compliance standards that you do. When deploying a new product from a third-party software provider, check if the developers used the security development lifecycle process when building this solution.
Set protocols and SLA — Set specific rules for every aspect of cooperating with vendors: from accessing data to sending emails. Keep your cybersecurity standards consistent along the entire supply chain to make it much harder for the attackers to find a weak spot in it.
Deploy access management solutions — Use advanced identity and access management solutions for making sure that only legitimate users have access to your company’s critical assets and sensitive information, and only for those they really need for their work. Also, consider using a one-time password scheme or integrating your access management solution with a ticketing platform.
Monitor your network — Having full visibility of vendor actions within your company’s network is crucial for ensuring a high level of cybersecurity. You can look for a specific third-party vendor monitoring solution or use a universal toolset for monitoring user activity and managing access.
Perform regular audits — Auditing third-party vendors’ activity on a regular basis is just as important as auditing your network. This way you can not only detect suspicious actions, but also see if everyone follows appropriate security practices and whether there are any new weak spots and vulnerabilities in your supply chain.

Conclusion

Understanding the difficulty of attacking large companies directly, hackers take advantage of indirect attacks by targeting their victim’s supply chain. They use various tactics: steal identities, compromise admin accounts, infect legitimate software and applications with malicious code, and so on.

In order to mitigate the risks of supply chain attacks, companies should reconsider their current security policies. Third-party vendors and suppliers are insiders as well and need to be included in the corporate Insider threat Program and follow the same security practices and standards.

Marcell Gogan is a Security Experts at Ekran System

You Might Also Read:

Breakthrough Technologies To Combat Insider Threats:

« Top 8 Most Disturbing Data Breaches In 2018
Indian Government To Provide Handbook On Cyber Safety To School Children »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

HANDD Business Solutions

HANDD Business Solutions

HANDD are independent specialists in data protection with expertise at every stage of the Protect, Detect and Respond cycle, from consultancy and design, right through to installation.

Venable

Venable

Venable is an American Lawyer 100 law firm with nine offices across the USA, Practice areas include Cybersecurity.

Daon

Daon

Daon offers a universal biometric authentication platform for mobile devices.

Resec Technologies

Resec Technologies

Resec provides total protection against all types of known and unknown malware threats including viruses, Trojans, ransomware and phishing, regardless of their delivery method.

Secon Cyber Security

Secon Cyber Security

Secon Cyber Security is an Advanced Managed Security Services Provider with long standing experience of providing cyber security solutions to customers ranging from small to large enterprises.

Phosphorus Cybersecurity

Phosphorus Cybersecurity

Phosphorus has fully automated remediation of the two biggest IoT vulnerabilities, out of date firmware and default credentials.

Findcourses.co.uk

Findcourses.co.uk

Findcourses is a dedicated education search engine designed to make it easy for our learners to search and find exactly what they need from our community of trusted training providers.

Securden

Securden

Securden provide an all-in-one Platform for Next-Gen Privileged Access Governance, helping you to prevent identity thefts, malware propagation, cyber attacks, and insider exploitation.

Evina

Evina

Evina offers the most advanced cybersecurity and fraud protection for mobile payment.

Midwest Cyber Security Alliance (MCSA)

Midwest Cyber Security Alliance (MCSA)

Midwest Cyber Security Alliance is a nonprofit, nonpartisan collaboration of individuals, businesses, government entities, and professionals advocating for more effective cyber security solutions.

Imageware

Imageware

Imageware is a leader in biometric cybersecurity. Protect against costly, damaging ransomware hacks by employing biometric cybersecurity solutions.

National Cybersecurity Consortium (NCC) - Canada

National Cybersecurity Consortium (NCC) - Canada

The NCC’s mandate is to keep Canada’s cyber and critical infrastructures and citizens safe while ensuring Canada’s global competitiveness and leadership in cybersecurity.

NormCyber

NormCyber

NormCyber provide award-winning cyber security and data protection as a service for midsize organisations.

Hartman Executive Advisors

Hartman Executive Advisors

Hartman Executive Advisors is an unbiased IT and cyber advisory firm uniquely designed to help mid-market executives maximize their IT investments.

Early Game Ventures (EGV)

Early Game Ventures (EGV)

Early Game Ventures invests in startups that jumpstart new industries in the emerging markets of Europe.

Cloudbox

Cloudbox

Cloudbox build and maintain a highly secure, compliant IT infrastructure for our clients – with total peace of mind – so they can focus on the market.