It’s easy to think that the most dangerous cyber threats to your organisation are external. Unfortunately, over 1,500 organisations recently found out the hard way this is not always true. When a supply chain attack on the trusted IT service provider Kaseya gave threat actors direct access to Kaseya’s clients, massive disruption soon followed. As the attack progressed, cybercriminals took organisations from preschools to manufacturers offline while Kaseya themselves were hit with a ransom demand of over $70 million — the highest ransom demand to date.
Although supply chain attacks like the one that struck Kaseya are nothing new, they are growing at an astronomical pace. Recent projections from the European Union Agency for Cybersecurity (ENSIA) show that the number of supply chain attacks, defined as cyber-attacks that compromise an entire supplier client ecosystem rather than just a single target, may increase by over 400% this year alone. And for every supply chain breached, many more suppliers and customers are put into immediate jeopardy.
Highlighting the domino-like impact that supply chain attacks have, EU Agency for Cybersecurity Executive Director Juhan Lepassaar said that “Due to the cascading effect of supply chain attacks, threat actors can cause widespread damage affecting businesses and their customers all at once.” The SolarWinds attack, which impacted over 425 of the top 500 firms in the US late last year, illustrated this point perfectly. When threat actors hacked the SolarWinds Orion Software, almost 18,000 organisations, including US federal agencies and even the UN, were affected in what was undoubtedly a highly coordinated and state-backed effort.
Unfortunately, while their impact cannot be underestimated, attacks like those on Kaseya and SolarWinds, the “largest and most sophisticated attack ever,” according to Microsoft’s Brad Smith, may regrettably be little more than a taste of what’s yet to come.
For profit-motivated or nation state-based threat actors, spending a long time going after a highly integrated organisation can be immensely rewarding. Unfortunately for everyone else, successfully doing so is also increasingly easy.
Whether the target is a Fortune 500 company or an SME with less than 100 employees, developments like hybrid working, growing numbers of connected endpoints, and more reliance on third-party suppliers have made finding and entering a supplier’s network more straightforward than ever. Once an access point is discovered, human-operated attacks also allow threat actors to bypass even the most complex suits of defensive software.
Particularly within cloud services, where misconfiguration errors are rife, finding an open door to victims’ suppliers or clients is a near certainty. The fact that Apple fell victim to a supply chain attack earlier this year demonstrates this point succinctly. When one of their component suppliers was hacked and refused to pay a ransom to the hackers, Apple was strategically targeted with an attack that coincided with a product launch.
Rather than a single attack chain, supply chain attacks have two phases. First, cybercriminals attack a supplier. Then, they move onto the supplier’s customers or clients. As outlined in ENSIA’s recently published “Threat Landscape for Supply Chain Attacks” report, these two phases generally have separate methodologies and take place over different time frames.
An attacker who gains access to a supplier may linger for weeks or even months before launching an attack on their customers, who tend to be the final target for most attacks. However, while most victims don’t know exactly what attack vector was used to infect them, code, which criminals can leverage to gain access to suppliers, is the targeted asset for the majority (66% according to ENSIA) of attacks on suppliers.
The second phase of a supply chain attack, which involves hacking customers downstream of suppliers, generally uses different attack vectors and has contrasting goals. When threat actors go after a supplier’s customers, they aim for data and use exploits within trusted applications to get there.
However, while supply chain attacks undoubtedly have two phases, the prolonged way in which these attacks tend to play out can make defining attack stages complex. In many cases, a compromised supplier can lead to customers who are suppliers themselves. These may then be targeted in turn for their own customers.
Ultimately, access gained in a single supply chain attack can cascade into an infinite number of follow-on threats. One example is the continued fallout from the SolarWinds attack, such as the Mimecast attack in January of this year. In this attack, threat actors used the SolarWinds breach to compromise a certificate used by the US-based email security vendor Mimecast, a SolarWinds customer, to access their customers’ data. As a result, the initial SolarWinds supply chain attack enabled another supply chain attack against Mimecast’s customers, exploiting the same kind of trusted relationship between supplier and customer.
The hackers behind these kinds of attacks tend to be well-resourced cybercriminal gangs (the SolarWinds attack was likely executed over a year), aka “advanced persistent threats” (APT). These threat actors tend to be highly organised and patient and are often backed by some level of state support or patronage.
Threat actors conducting supply chain attacks turn the interconnected nature of today’s business environments into dynamic attack chains. In this threat landscape, few organisations are immune. Cybersecurity, therefore, needs to become a shared responsibility between suppliers and customers.
For suppliers, mitigating the chances of falling victim to a supply chain attack means ensuring that common vectors for malicious network access, such as phishing, patch lag, and zero-day exploits, are mitigated as effectively as possible. In practice, this means giving cybersecurity staff the capacity to take a proactive approach to vulnerability management and avoid the alert fatigue that can stop teams from achieving real cybersecurity.
Even if a supplier does not consider themselves large enough to be a target for the kind of APTs that go after organisations like SolarWinds or Kaseya, as the Mimecast attack shows, becoming a secondary target is a real possibility for most businesses. Mitigating this risk means following the MITRE ATT&CK framework and shutting down threats before they get a chance to gain a foothold in your network.
Customers also need to seriously consider the potential threat posed by the various components in their supply chain and carefully define their risk criteria when dealing with third-party suppliers. With the threat landscape constantly changing, this endeavour requires a dedicated approach from IT professionals — an effort that a cybersecurity platform like SenseOn can significantly aid.
Explore our collection of eBooks, webinars, articles, and more to help you maximize your understanding of emerging threats, adversary techniques and how to detect cyber attacks.Visit resource hub
Join thousands of like-minded professionals who are already receiving our blog updates and best practice guides.