Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way.
A cybersecurity breach on a single company is bad, but when an attack affects potentially hundreds of businesses in that firm’s supply chain, the results can be catastrophic.
Known as ‘software supply chain attacks’ these types of threats hit hard, spread quickly, and can devastate thousands of organizations simultaneously.
Broadly speaking, a software supply chain attack involves inserting malicious code into a piece of software that is then distributed among multiple organizations, usually the customers of the software company that owns the software.
This article will look at some recent examples of software supply chain attacks, consider the different forms such attacks can take, and explore how both software vendors and their customers can avoid falling victim to this especially damaging security threat.
First, to understand how software supply chain attacks work, let’s consider two recent high-profile examples.
The SolarWinds attack was first discovered in December 2020, after a cybersecurity company, FireEye, discovered that some of its software tools had been stolen.
When investigating the theft, FireEye learned that the attackers had gained access to its systems via a third-party software product called Orion; a network monitoring tool supplied by Texas-based software company SolarWinds.
An update to Orion, released nine months earlier, in March 2020, had granted the attackers access to FireEye’s systems. This update enabled the cybercriminals full access to FireEye’s private data, enabling them to exfiltrate the company’s security tools.
But FireEye wasn’t the only company affected by the hack.
FireEye reported its discovery to the National Security Agency (NSA), the U.S. intelligence service tasked with defending the country against cyber threats. This was when the devastating impact of the SolarWinds attack became apparent.
The NSA revealed that it also used SolarWinds—together with the U.S. Treasury, the Department for Homeland Security, and the National Nuclear Security Administration.
In fact, twelve U.S. Federal Government departments were compromised by the malicious SolarWinds update, along with thousands of other organizations around the world.
All the attackers had to do was insert malicious code into SolarWinds’ software update, and let SolarWinds distribute the malware among the companies downstream in its supply chain.
This ease of distribution is what makes supply chain attacks so effective for the attackers, and so devastating for the victims.
In response to SolarWinds, President Biden enacted his Executive Order on Improving the Nation’s Cybersecurity. But in July 2021, less than two months after Biden’s order passed, another colossal software supply chain attack occurred, this time originating from Miami-based software firm Kaseya.
Like SolarWinds, Kaseya provides network monitoring tools and it sits at the start of a very long supply chain. The Kaseya attack started when ransomware gang REvil inserted malicious code into an update for Kaseya’s Virtual System Administrator (VSA) software.
After updating VSA with the malicious code, Kaseya’s customers found their systems were inaccessible due to ransomware. REvil claimed that over one million companies had been affected, whereas Kaseya put the number between 800 and 15,000.
Either way, the attack caused havoc for thousands of people, and its effects were felt far and wide. Even a Swedish supermarket chain had to temporarily close when its payment processing equipment malfunctioned due to the attack.
The Kaseya ransomware is another example of how software supply chain attacks can grow almost exponentially around the globe. Hack one Miami-based software company, and the next day a Swedish supermarket could be considering whether to pay you a ransom to decrypt its files.
Software supply chain attacks are just one type of supply chain attack (we’ll look at another type of supply chain attack below). But there are also different subtypes of software supply chain attacks that security-conscious organizations need to understand.
The National Institute of Standards and Technology (NIST) identifies six types of software supply chain attacks:
Two main actors in the supply chain can help detect and prevent software supply chain attacks:
Here’s how each of these parties can defend against this type of threat.
Vendors developing commercial software must be extremely diligent before releasing their products into the supply chain.
Once compromised software is installed on a company’s systems, there’s little they can do to stop the damage. As such, organizations must do everything reasonably possible to avoid installing compromised software or acquiring compromised hardware. Here’s some of the things you can do to mitigate that risk.
Attacking software is just one of several ways cybercriminals can leverage the interconnected nature of supply chains.
Another is email-based supply chain attacks, this is when cybercriminals hack vendors’ email accounts to deliver highly convincing phishing emails. Email-based supply chain attacks are sometimes called Account Takeover attacks.
The Nobelium email campaign, conducted by the same actors who hit SolarWinds, is an example of an email supply chain attack: 150 government agencies, think tanks, and NGOs, received phishing emails after the cybercriminal hacked email provider Constant Contact.
The good news is that email-based supply chain attacks, while potentially devastating, are avoidable by using an effective email security tool like Tessian.
Tessian scans inbound emails to detect anomalies such as malicious links, inauthentic sender addresses, and signs of inconsistent language or behavior that suggest an email’s sender is not who they say they are.
Read more about how Tessian’s machine learning-powered technology helps detect and defend against email-based supply chain attacks and other phishing threats.