A cybersecurity breach on a single company is bad, but when an attack affects potentially hundreds of businesses in that firm’s supply chain, the results can be catastrophic.
Known as ‘software supply chain attacks’ these types of threats hit hard, spread quickly, and can devastate thousands of organizations simultaneously.
Broadly speaking, a software supply chain attack involves inserting malicious code into a piece of software that is then distributed among multiple organizations, usually the customers of the software company that owns the software.
This article will look at some recent examples of software supply chain attacks, consider the different forms such attacks can take, and explore how both software vendors and their customers can avoid falling victim to this especially damaging security threat.
Examples of software supply chain attacks
First, to understand how software supply chain attacks work, let’s consider two recent high-profile examples.
The SolarWinds attack
The SolarWinds attack was first discovered in December 2020, after a cybersecurity company, FireEye, discovered that some of its software tools had been stolen.
When investigating the theft, FireEye learned that the attackers had gained access to its systems via a third-party software product called Orion; a network monitoring tool supplied by Texas-based software company SolarWinds.
An update to Orion, released nine months earlier, in March 2020, had granted the attackers access to FireEye’s systems. This update enabled the cybercriminals full access to FireEye’s private data, enabling them to exfiltrate the company’s security tools.
But FireEye wasn’t the only company affected by the hack.
FireEye reported its discovery to the National Security Agency (NSA), the U.S. intelligence service tasked with defending the country against cyber threats. This was when the devastating impact of the SolarWinds attack became apparent.
The NSA revealed that it also used SolarWinds—together with the U.S. Treasury, the Department for Homeland Security, and the National Nuclear Security Administration.
In fact, twelve U.S. Federal Government departments were compromised by the malicious SolarWinds update, along with thousands of other organizations around the world.
All the attackers had to do was insert malicious code into SolarWinds’ software update, and let SolarWinds distribute the malware among the companies downstream in its supply chain.
This ease of distribution is what makes supply chain attacks so effective for the attackers, and so devastating for the victims.
The Kaseya attack
In response to SolarWinds, President Biden enacted his Executive Order on Improving the Nation’s Cybersecurity. But in July 2021, less than two months after Biden’s order passed, another colossal software supply chain attack occurred, this time originating from Miami-based software firm Kaseya.
Like SolarWinds, Kaseya provides network monitoring tools and it sits at the start of a very long supply chain. The Kaseya attack started when ransomware gang REvil inserted malicious code into an update for Kaseya’s Virtual System Administrator (VSA) software.
After updating VSA with the malicious code, Kaseya’s customers found their systems were inaccessible due to ransomware. REvil claimed that over one million companies had been affected, whereas Kaseya put the number between 800 and 15,000.
Either way, the attack caused havoc for thousands of people, and its effects were felt far and wide. Even a Swedish supermarket chain had to temporarily close when its payment processing equipment malfunctioned due to the attack.
The Kaseya ransomware is another example of how software supply chain attacks can grow almost exponentially around the globe. Hack one Miami-based software company, and the next day a Swedish supermarket could be considering whether to pay you a ransom to decrypt its files.
Types of software supply chain attacks
Software supply chain attacks are just one type of supply chain attack (we’ll look at another type of supply chain attack below). But there are also different subtypes of software supply chain attacks that security-conscious organizations need to understand.
The National Institute of Standards and Technology (NIST) identifies six types of software supply chain attacks:
- Design: Malicious actors can hijack a product’s initial design process to install or corrupt software. In 2016, a U.S. manufacturer shipped phones with malicious software that recorded users’ phone calls and texts.
- Development and production: Threat actors persist in an upstream company’s networks and infiltrate its downstream customers. The SolarWinds attack is an example of this type of supply chain attack.
- Distribution: The initial attack occurs between the manufacture of a product and its acquisition by end-users. For example, a 2012 investigation found pre-installed malware apps on retail desktop and laptop computers.
- Acquisition and deployment: Software companies can be acquired or influenced by malicious actors to spy directly on end-users. NIST cites a 2017 incident involving Kaspersky Antivirus.
- Maintenance: Backdoors can be embedded in routine updates, allowing cybercriminals to access the computers that install them. Both SolarWinds and Kaseya attacks leveraged this technique.
- Disposal: Improper wiping of hardware can lead to “data spillage,” enabling downstream actors purchasing or disposing of the equipment to access software or information on the device.
How to prevent software supply chain attacks
Two main actors in the supply chain can help detect and prevent software supply chain attacks:
- The upstream companies who distribute software into the supply chain (vendors)
- The downstream organizations who purchase and use that software (customers)
Here’s how each of these parties can defend against this type of threat.
Vendors developing commercial software must be extremely diligent before releasing their products into the supply chain.
- Apply strong security standards at every stage of production as well as across your organization. Ensure your systems aren’t vulnerable to cyberattacks like phishing, SQL injection, or man-in-the-middle attacks.
- Carefully vet and document any third-party code employed in your development process.
- Maintain a library of any open-source code libraries you use. Carefully monitor any changes or security updates to the code.
- Implement a cyber security framework to ensure your organization meets good cybersecurity standards.
Once compromised software is installed on a company’s systems, there’s little they can do to stop the damage. As such, organizations must do everything reasonably possible to avoid installing compromised software or acquiring compromised hardware. Here’s some of the things you can do to mitigate that risk.
- Implement a cyber supply chain risk management (C-SCRM) program so you can fully account for all suppliers and products in your supply chain.
- Engage with your software suppliers to understand how they identify vulnerabilities and prevent cyber risks.
- Request a software component inventory from your software suppliers and consider changing suppliers if they cannot provide one.
- Monitor and defend endpoints to contain the spread of any malware infections.
- Implement a cyber security framework to ensure your organization meets good cybersecurity standards and can respond effectively to email supply chain attacks.
Software supply chain attacks: just one type of supply chain attack
Attacking software is just one of several ways cybercriminals can leverage the interconnected nature of supply chains.
Another is email-based supply chain attacks, this is when cybercriminals hack vendors’ email accounts to deliver highly convincing phishing emails. Email-based supply chain attacks are sometimes called Account Takeover attacks.
The Nobelium email campaign, conducted by the same actors who hit SolarWinds, is an example of an email supply chain attack: 150 government agencies, think tanks, and NGOs, received phishing emails after the cybercriminal hacked email provider Constant Contact.
The good news is that email-based supply chain attacks, while potentially devastating, are avoidable by using an effective email security tool like Tessian.
Tessian scans inbound emails to detect anomalies such as malicious links, inauthentic sender addresses, and signs of inconsistent language or behavior that suggest an email’s sender is not who they say they are.
Read more about how Tessian’s machine learning-powered technology helps detect and defend against email-based supply chain attacks and other phishing threats.