Supply Chain Attacks and Why They’re So Dangerous

Over the past decade, cloud and internet-based software and service delivery models have fundamentally changed the way organizations manage and update applications and network infrastructure. Layered on top of that has been a fast-evolving automation of many aspects of industrial processes including the introduction of internet connected (IoT) devices. While these technical advances are associated with efficiency and flexibility, the trade-offs include challenges maintaining network and data security in an interconnected world and significant supply chain dependencies. As a result, some of the greatest security threats to organizations come from third party risk – the potential for interruption, destruction or data theft from attacks against third party service providers and suppliers, also known as supply chain attacks. On top of the risk to the individual organization, these attacks have the potential to cause mass disruption due to the relative concentration of market share among technology providers. The Solarwinds breach, discovered in late 2020, is a reminder of how single points of failure can be exploited with far-reaching impact, and that’s just the latest example in a growing list of supply chain attacks with systemic risk potential.

What are Supply Chain Attacks?

Supply chain or third-party attacks typically originate from a trusted business partner, vendor or supplier and target the weakest or least secure link in an organization’s supply chain. These types of attacks can exploit a wide range of technologies, from software infrastructure, code-sign certificates, cloud environments and managed services to hardware and devices. Recent examples of supply chain attacks include the exploitation of widespread code vulnerabilities in e-commerce platforms, DDoS attacks on critical internet infrastructure, and trusted software providers unknowingly transmitting infected code into their customers’ networks.

When it comes to attacks on software, commercial software isn't the only target of supply chain attacks. Attacks targeting open-source software projects are a major issue for organizations, with 90% of all applications containing open-source code and 11% of those having known vulnerabilities (1). According to IBM and the Ponemon Institute’s Cost of a Data Breach Report 2020, third-party software vulnerabilities were initial attack vectors in one of every six malicious breaches. These breaches included attacks against both less secure open-source software as well as wide-ranging attacks on mature and trusted vendor software.

While many of these attacks are highly sophisticated and often involve nation state actors, some are far simpler, such as targeting contractors with access to the networks of large organizations. This was the method employed in the 2013 Target data breach, where cybercriminals are believed to have used an HVAC vendor’s credentials as a first means of accessing Target’s network to then further exploit the organization and steal millions of payment card details (2).

The Solarwinds Breach

In December last year, threat actors believed to be affiliated with a nation state gained access to multiple US government agencies and thousands of organizations globally in a months-long advanced persistent threat campaign that began in March of 2020. The attackers were able to pull this off by compromising the infrastructure of SolarWinds' Orion software (a network and applications monitoring platform) and use that access to create and distribute malware, known as Sunburst, to Orion users through a software update. As many as 18,000 organizations and government entities were infected through the malware-laced software update; however, it appears that a significantly smaller group of organizations were selected for further exploitation through the access established with Sunburst. In an update last week, the White House said about 100 US private sector firms had been impacted at this stage, most of which are technology companies (3). It’s possible that these companies were selected specifically to compromise further supply chains in a similar way to how Solarwinds was exploited. The motivation behind the attack was most likely espionage; no destructive impact or evidence of large-scale theft of personally identifiable information has surfaced thus far. Circumstances surrounding the attack continue to unravel, and Trustwave recently identified new, severe vulnerabilities within SolarWinds’ Orion Platform and Serv-U FTP that exposed customers to additional potential risks and required another round of patching.

High-Profile Attacks

The most destructive supply chain attack to date was the 2017 NotPetya malware distribution that started in Ukraine and used zero-day exploits known as EternalBlue stolen from the NSA a few months earlier. While the attack was aimed at disrupting Ukrainian infrastructure, it caused billions of dollars in collateral damage to organizations outside the country that happened to be users of the M.E.Doc software utilized to distribute the attack (4).

Magecart is an umbrella term for cybercriminals that utilize the family of Magecart malware (web skimmers) to exploit code vulnerabilities typically in websites using the open-source Magento e-commerce platform. In a series of campaigns that started in 2015, thousands of global e-commerce sites have been compromised using widespread code vulnerabilities to steal payment data. British Airways, Macy’s and Ticketmaster are among the impacted organizations (5).

In 2016, domain name service provider DYN (DNS translates IP addresses into domain names) was hit with a series of DDoS attacks considered the most powerful of their kind to date. The attacks were delivered using the Mirai botnet consisting of hundreds of thousands of hijacked IoT devices, and although it only lasted a few hours, it caused disruption to 175,000 websites, including Amazon, Twitter and Spotify (6).

Shadowhammer was a supply chain attack discovered in 2019 in which threat actors compromised laptop manufacturer ASUS and a number of other Asian technology companies potentially impacting over a million users. While its motive is unclear and the malware didn’t have any destructive impact, it appears to have been targeted against a small subset of users by automatically searching for a list of pre-identified devices for backdoor installation (7).

Systemic Risk Concerns

The NotPetya and Solarwinds attacks share several common traits. They both used third-party software updates as the delivery mechanism for their attacks, both impacted a large number of companies, and both were allegedly carried out by threat actors operating on behalf of a nation state, perhaps the exact same group of operatives. However, because of the difference in motivation, they had entirely different outcomes. NotPetya was intended to be destructive, and to that extent, it served its purpose successfully with an estimated total cost of $10 billion to impacted organizations (8). The immediate direct costs associated with the Solarwinds attack are likely to be a fraction of those resulting from NotPetya, but had the Solarwinds attack instead delivered disruptive malware, it would had left a trail of destruction in its path with 18,000 potentially impacted organizations including a large number of Fortune 500 companies. In comparison NotPetya only impacted a few hundred organizations outside of Ukraine, yet the costs were significant. Supply chain attacks with systemic impact happen frequently, just on a smaller scale. Managed Service Providers (MSPs) have been a favorite target of ransomware threat actors because of the opportunity to infect many of the MSP’s customers in one single attack – a 2019 attack against an MSP infected more than 100 dental clinics with ransomware (9).

Cyber insurers spend considerable efforts modeling systemic risk scenarios such as these to determine the economic impact of widespread attacks, and real-life incidents serve as important learnings in that process. However, the potential impact from systemic risk isn’t limited to what is covered on a cyber insurance policy. The NotPetya attack illustrates well how a widespread cyberattack can cause ripple effects on society more broadly. Maersk, a global shipping company headquartered in Denmark, was one of the organizations impacted by NotPetya, and beyond the significant financial injury caused to the company itself, its critical function in the global distribution of goods (Maersk ships 20% of the world’s GDP) meant that there was broader disruption to global supply chains (10).

Mitigating Third Party Risk

Third party risk mitigation is no easy task as evidenced by the fact that many supply chain attacks fall into the advanced persistent threat category and some have the ability to compromise even leading cybersecurity companies. Prevention requires action on both the technology provider and user sides, and although there’s no perfect solution, there are a number of proactive measures that can help organizations significantly reduce the risk of supply chain attacks.

• Develop a map of vendors and supply chain dependencies, and identify cyber risk potential
• Establish a vendor risk management program that includes classification of vendors based on the level of risk they pose to the organization and require an annual vendor cybersecurity assessment, including an assessment of the vendor’s own supply chain risk
• Limit vendors’ access to the network and require the use of multifactor authentication when vendors access the organization’s network
• Require vendors to have cybersecurity certifications such as ISO 27001 or CMMI and/or comply with cybersecurity frameworks like NIST or CIS
• Ensure that industry or service specific certifications or attestations, such as the PCI-DSS compliance requirements in the payment card industry, are up-to-date
• Implement network segmentation to contain malicious infections or unauthorized access to a limited part of the network
• Apply the principle of least privilege or zero trust network architecture to prevent lateral traversal if the first layer of defense is compromised
• Use MDR (Managed Detection and Response), an outsourced threat monitoring solution that improves an organization’s detection of malicious behavior by combining analytics and human intelligence
• Continuously perform vulnerability scans of the network to detect malware infections or unusual behavior
• Test web application for code vulnerabilities to prevent code injection attacks
• When it comes to ransomware or destructive malware mitigation, recovery is just as important as prevention. Performing frequent backups and storing them off-line or segregated from the main network provides the best chance of successful recovery
• Require vendors to contractually indemnify the organization for cyber incidents caused by the vendor and documentation of cyber insurance.

Trustwave is a leading cybersecurity and managed security services provider focused on threat detection and response. Offering a comprehensive portfolio of managed security services, consulting and professional services, and data protection technology, Trustwave helps businesses embrace digital transformation securely. Trustwave is a Singtel company and the global security arm of Singtel, Optus and NCS, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com

1)     Sonatype's 2020 State of the Software Supply Chain Report

2)     https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

3)     https://www.whitehouse.gov/briefing-room/press-briefings/2021/02/17/press-briefing-by-press-secretary-jen-psaki-and-deputy-national-security-advisor-for-cyber-and-emerging-technology-anne-neuberger-february-17-2021/

4)     https://en.wikipedia.org/wiki/2017_cyberattacks_on_Ukraine

5)     https://www.darkreading.com/theedge/the-year-of-magecart-how-the-e-commerce-raiders-reigned-in-2019/b/d-id/1336678

6)     https://www.zdnet.com/article/four-years-after-the-dyn-ddos-attack-critical-dns-dependencies-have-only-gone-up/

7)     https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/

8)     https://en.wikipedia.org/wiki/Petya_(malware)

9)     https://krebsonsecurity.com/2019/12/ransomware-at-colorado-it-provider-affects-100-dental-offices/

10)  https://www.computerweekly.com/news/252464773/NotPetya-offers-industry-wide-lessons-says-Maersks-tech-chief

This article provides general information, and should not be construed as specific legal or risk management advice. As with all matters of a legal nature, you should consult with your own legal counsel and risk management professionals. The Hartford shall not be liable for any direct, indirect, special, consequential, incidental, punitive or exemplary damages in connection with the use by you or anyone of the information provided herein.