Securing the Backbone: Software Supply Chain Security for Critical Infrastructure
Eric Gallagher
Securing Software Supply Chains ?? | Sales & Data Analysis | Account Management | Creator of shenanigans | Tennis, Poker, & Excel nerd
Issue #3: Meet the Hackers Trying to Ruin Your Day – Cybercriminals & Nation-States
Date: February 17, 2025
?? Meet Your Cyber Villains: Nation-State Hackers & Cybercriminal Gangs
Ah yes, the ever-growing roster of cyber troublemakers—nation-state hackers with way too much government backing and cybercriminals who think your IT budget is their personal ATM. This week, we take a sarcastic-yet-serious look at who’s trying to ruin your day, how they do it, and how to shut them down before they turn your supply chain into a cyber dumpster fire.
?? Nation-State Attackers: When Governments Get Bored
Who are they?
Think James Bond villains but with laptops instead of secret lairs. These government-funded groups aren’t just hacking for fun—they’re here for espionage, disruption, and general chaos. If you’re in critical infrastructure, finance, or tech, congrats! You’re on their VIP target list.
Rogue’s Gallery:
? APT29 (Cozy Bear) – Russia – Hacked SolarWinds like it was their personal playground.
Wikipedia: https://en.wikipedia.org/wiki/Cozy_Bear
? APT41 (Double Dragon) – China – Moonlights as both a spy agency and a side hustle cybercrime gig.
? Lazarus Group – North Korea – The OG Bitcoin bandits funding a country’s missile program, one heist at a time.
Wikipedia: https://en.wikipedia.org/wiki/Lazarus_Group
? Charming Kitten – Iran – Fancy a nation-state phishing attack? These folks have you covered.
Their Favorite Tricks:
?? Weaponized Software Updates – Because nothing says “surprise” like a malicious backdoor in your trusted software.
?? Zero-Day Bonanza – They love finding vulnerabilities before you do.
?? Phishing & Credential Theft – Trick a few developers into giving up their passwords, and boom—access granted.
How to Make Their Lives Miserable:
? Lock down developer accounts – If “password123” is still a thing, it’s time to rethink life choices.
? Understand your use of open-source packages – Is your software supply chain more like Fort Knox, or like that pillow fort your kids made to avoid bed time?
? Invest in Intelligent Remediation – If only scanning for vulnerabilities was enough...
?? Cybercriminal Syndicates: The Digital Mafia
Who are they?
Unlike nation-state hackers who hack for “patriotic” reasons (??), these folks just want your money. They run ransomware businesses, exploit open-source projects, and generally act like the digital version of loan sharks.
Hall of Shame:
? FIN7 – A hacking group that treats cybercrime like a Fortune 500 company.
Wikipedia: https://en.wikipedia.org/wiki/FIN7
? REvil – Ransomware kings who made headlines by extorting everyone from hospitals to billion-dollar corporations.
Wikipedia: https://en.wikipedia.org/wiki/REvil
? DarkSide – Infamously shut down Colonial Pipeline, because why not?
? Lapsus$ – A bunch of teens proving you don’t need a degree to wreak havoc.
Wikipedia: https://en.wikipedia.org/wiki/Lapsus$
Their Favorite Tricks:
?? Ransomware-as-a-Service – Yes, you can now subscribe to extortion like it’s Netflix.
?? Poisoned Open-Source Libraries – Upload something useful, wait for people to adopt it, and then, boom—backdoor city.
?? Buying Stolen Credentials – Because why hack when you can just buy access?
How to Ruin Their Business Model:
? Vet every third-party dependency – Open-source is great until it isn’t.
? Change your passwords… often – Your IT security guy isn’t nagging you for fun.
? Use AI-powered threat detection – Because cybercriminals don’t take holidays.
?? Action Plan: Don’t Be Their Next Headline
?? 3 Things to Do Before Hackers Make You Famous:
1?? Watch developer accounts like a hawk – If Dave from IT suddenly logs in from Russia at 3 AM, maybe investigate.
2?? Know what open-source packages are in your pipelines – Because you can't fix what you can't find??
3?? Invest in Intelligent Remediation – Because vulnerability reports only go so far.
?? Coming Next Week…
?? The Business Cost of Software Supply Chain Attacks: How Much $$$ You’ll Lose if You Ignore This Stuff.
?? Want to talk security nightmares? Connect with me on LinkedIn.
?? Stay paranoid,
EPG