In today's interconnected digital landscape, imagine your company as a fortress. You've fortified every wall, yet a leaky moat in your neighbor's castle—your supply chain—poses a hidden danger. This is the stark reality of supply chain cyber attacks, a growing concern for organizations worldwide. Even with robust internal security measures, your network remains vulnerable if your suppliers, vendors, or third-party software libraries are compromised.
What is a Supply chain attack?
Imagine a car manufacturing company. The company has various third party suppliers that it relies on to get different equipment like tires, glass, material for the body kit, etc. Now suppose that one of the suppliers is hacked and the hackers got access to the company’s design secrets and manufacturing processes. This is a simple example of a supply chain attack.
A supply chain attack occurs when cybercriminals target a weaker link in a company's supply chain network. This could be a supplier, vendor, a customer or a third party software library that the company is dependent upon. Consider a car manufacturer that relies on various third-party suppliers for components like tires, glass, and body kits. If one of these suppliers falls victim to a cyber attack, it could lead to the theft of crucial design secrets and manufacturing processes. Such incidents highlight the vulnerability of companies to cyber threats in their supply chain.
Gartner 2023 Supply Chain Risk Management Survey Report states that "supply chain attacks are on the rise, with 63% of respondents reporting that their organization has experienced a supply chain attack in the past year.
This clearly indicates the concerns that an organization must have with their supply chain elements.
Below mentioned are, some of the significant supply chain attacks that took place in 2023:-
1. University of California San Francisco (UCSF)Supply Chain Attack
Imagine a doctor not being able to operate because of him not being able to operate a system. Sounds scary right? This is what happened at the UCSF in February, where the hospital's electronic health record (EHR) system was unavailable for several days. Without access to the EHR system, UCSF clinicians were unable to access patient medical records or schedule surgeries. This resulted in the cancellation or postponement of several surgeries.
The attackers executed the attack by exploiting a vulnerability in Codecov, a popular code testing software that Zellis, a clinical trial software company uses to test its software for vulnerabilities. UCSF was using Zellis and hence, was affected.
The attackers were able to steal the personal information of clinical trial participants from Zellis's systems out of which some of the information was published online.
2. Airbus Supply Chain Attack
Airbus was also affected by a supply chain attack in January 2023, carried out by a threat actor known as USDoD.
Airbus confirmed that the attack had been carried out through a compromised employee account at Turkish Airlines, one of Airbus's customers. The threat actor was able to access the employee's account and gain access to Airbus's systems.
The breached data included personal information associated with over 3,000 Airbus vendors, such as Rockwell Collins and Thales Group. The data dump included names, addresses, phone numbers, and email addresses.
3. Norton Supply Chain Attack
Norton is a company that offers products and services that help in safeguarding digital security, identity protection and online privacy. The most notable software is the Norton Antivirus which is a widely used Antivirus software. Contrarily, they were also affected by a supply chain attack in May.
The attack exploited a zero-day vulnerability in MOVEit Transfer, a managed file transfer (MFT) software that Norton's parent company, Gen Digital, uses to transfer files between its offices and customers.
The attackers were able to gain access to Norton's network and steal the personal information of employees, including names, addresses, birth dates, and business email addresses. The attackers also threatened to release the stolen data if Norton did not pay a ransom.
4. Colonial Pipeline Cyber attack
The Colonial Pipeline is the largest pipeline system for refined oil products in the United States. In March, it was also affected by a supply-chain attack.
The attack exploited a remote code execution (RCE) vulnerability in PulseConnect Secure, a VPN software program used by Colonial Pipeline to monitor its pipeline operations.The attackers were able to gain access to Colonial Pipeline’s network and encrypt its systems.
The attack made it impossible for Colonial Pipeline to operate its pipeline. Colonial Pipeline was forced to shut down its pipeline for five days. This caused a gasoline shortage in the Southeastern United States. Colonial Pipeline paid a ransom of $4.4 million to the attackers in order to regain access to its systems.
5. Microsoft Supply Chain Attack
Almost everyone who uses computers knows what Microsoft is and must have used Windows at least once in their lives. Microsoft was also affected by a software supply chain attack in February 2023.
The attack exploited a vulnerability in Jfrog Artifactory, a binary repository manager that Microsoft uses to store and distribute its software components. The attackers were able to gain access to Jfrog Artifactory and inject malicious code into some of Microsoft's software components. This allowed the attackers to gain access to Microsoft's networks and steal source code and other confidential information.
The above incidents show how important it is to take measures in order to prevent a supply chain attack. Here are some specific steps that businesses can take to protect themselves:-
- Implement a software supply chain security program. This program should include steps for identifying and assessing risks, implementing security controls, monitoring supply chains, and responding to incidents.
- Choose your vendors carefully. Research their security practices and make sure they have a good reputation.
- Keep your software up to date. Software updates often include security patches that can help protect you from known vulnerabilities.
- Educate your employees about cybersecurity. Make sure they know how to identify and report suspicious activity.
- Use software composition analysis (SCA) tools. SCA tools can help you identify the third-party components that are used in your software and to assess the security risks associated with those components.
- Have a plan in place for responding to a cyber attack. This plan should include steps for containing the attack, investigating the incident, and notifying affected customers and partners.
By learning from the past, businesses can better prepare themselves to defend against software supply chain attacks in the future.
CloudSEK is a contextual AI company that predicts Cyber Threats. At CloudSEK, we combine the power of Cyber Intelligence, Brand Monitoring, Attack Surface monitoring, Infrastructure Monitoring and Supply Chain intelligence to give visibility and context to our customer's Initial Attack Vectors.
CloudSEK SVigil creates a blueprint of an organization's external attack surface including the core infrastructure software components and third party vendors. This is then scanned for any misconfigurations, vulnerabilities etc thereby preventing any potential exploits or cyber attacks targeted at the organization. Visibility into all the vendors of the company along with one’s own Attack surface ensures comprehensive protection to one’s digital threat landscape. The solutions helps in preventing cyber attacks with its predictive intelligence feeds across the complete supply chain of an organization.