Supply chains have become a preferential target for hackers. Government reports from the UK, USA and many other parts of the world confirm the growing attacks on supply chains impacting businesses and even government agencies. Such attacks often involve secondary or even tertiary targets that are attacked through a series of breaches across organizations connected through a supply chain
How are supply chains targeted?
A chain is only as strong as the weakest link and this adage is true even in the digital world. Hackers target supply chains by studying the entire supplier network for identifying weak points for entry into a network. This network is then used as a conduit to target networks belonging to other organizations upstream or downstream. A single breach could potentially expose a whole chain and many service providers.
Using specific data, hackers target multiple employees across various organizations. This is done through a phishing email or a waterhole attack. While earlier attacks were not targeted, most of the attacks we have seen this year are targeted at specific individuals and involve state-backed actors. The whole approach is more structured and organized and hackers are clear about what they are looking for or want from these organizations.
The ultimate targets
The more sophisticated the hacker, the more distant would the ultimate target be. In the case of a large defense hardware manufacturer in Europe, the first point of entry for the hackers was a firmware-linked entity based in Asia. The hackers used the first breach to move across continents and more targets downstream till the ultimate target was breached nearly 11 months later.
The target organizations and their supply chain connects are mapped and observed over a period of time before an attack attempt is made.
Software supply chain cybersecurity tips from NSA and CISA, US
Software supply chain compromise is a common form of supply chain attack. The most common compromise methods involve exploitation of inherent design flaws in the software, addition of vulnerable third-party components into a software product, breach and infiltration of multiple supplier’s networks with malicious code before the final software product being delivered, and injection of malicious software which is finally deployed by the customer.
The U.S NSA and CISA recently shared tips to secure the entire software supply chain. This is certainly a welcome move. The recommendation document covers security across:
- Product development
- Third-party component verification, and integration
- Hardening the build environment
- Final package validation.
The document states that “stakeholders must seek to mitigate security concerns specific to their area of responsibility. However, other concerns may require a mitigation approach that dictates a dependency on another stakeholder or a shared responsibility by multiple stakeholders”. This points to a collaborative approach towards identifying and mitigating threats within and outside a supplier’s own area of responsibility.
The document while articulating the need to focus on vulnerabilities, states “dependencies that are inadequately communicated or addressed may lead to vulnerabilities and the potential for compromise”. Areas where these types of vulnerabilities may exist include:
- Undocumented features or risky functionality
- Unknown and/or revisions to contractual, functionality, or security assumptions between evaluation and deployment
- Supplier’s change of ownership and/or of geo-location
- Poor supplier enterprise or development hygiene
We recommend that all supply chain entities across verticals read, understand, and adhere to these tips. It will go a long way in securing not just supply chains but also the entire digital footprint of various enterprises and governments.
Learn more about supply chain security by interacting with our cybersecurity experts today
Do a complete cyber threat assessment now to find out your security gaps
Try our threat intelligence feeds for free now: Sign up for free threat intelligence feeds today.