In December 2020, the U.S government announced that it fell victim to what is believed to be the largest security breach in the nation's history. The breach occurred through an innocuous IT update from the Government's network monitoring vendor, SolarWinds.
This monumental breach exposes a novel and powerful method of clandestinely penetrating even the most sophisticated security defenses through third-party vendors - supply chain attacks.
What is a supply chain attack?
A supply chain attack, also known as s third-party attack, is a data breach through a business's supply chain network. Vendors require access to sensitive data when they're integrated with internal systems. If a vendor is compromised in a cyberattack, it's client's could also be breached through this shared pool of sensitive data.
Because supply chain attacks occur at an offset attack surface, they're difficult to detect before it's too late. And because vendors store sensitive data for multiple clientele, a single supply chain attack often results in multiple businesses suffering an intellectual property breach.
Types of supply chain attacks
Software supply chain attacks target either the source code, update mechanism, or build processes of vendor software. A victim could be compromised by any of the following vectors:
- Third-party software updates
- Malware installed on connected devices, for example, external hard drives, cameras, phones, etc.
- Application installers
How does a supply chain attack work?
Supply chain attacks piggyback legitimate processes to gain uninhibited access into a business's ecosystem.
This attack begins with infiltrating a vendor's security defenses. This process is usually much simpler than attacking a victim directly due to the unfortunate myopic cybersecurity practices of many vendors.
Penetration could occur via multiple attack vectors. Once injected into a vendor's ecosystem, the malicious code needs to embed itself into a digitally signed process of its host.
This is the key to gaining access to a vendor's client network. A digital signature verifies that a piece of software is authentic to the manufacturer, which permits the transmission of the software to all networked parties.
By hiding behind this digital signature, malicious code is free to ride the steady stream of software update traffic between a compromised vendor and its client network.
The malicious payload that compromised the U.S government was injected into a SolarWinds Dynamic Link Library file (.dll file). This file was a digitally signed asset of SolarWinds Orion software, the disguise nation-state hackers needed to gain access to SolarWind's client base.
Compromised vendors unknowingly distribute malware to their entire client network. The software patches that facilitate the hostile payload contain a backdoor that communicates with all third-party servers, this is the distribution point for the malware.
A popular service provider could infect thousands of businesses with a single update, helping threat actors achieve a higher magnitude of impact with a lot less effort.
SolarWinds announced that up to 18,000 of its customers were infected through its compromised software update across a wide spectrum of verticals including, government, consulting, telecommunications, and technology.
When a victim installs a compromised software update from a service provider, the malicious code is also installed with the same permissions as the digitally signed software, and the cyberattack is initiated.
Once installed, a remote access trojan (RAT) is usually activated to give cybercriminals access to each infected host for sensitive data exfiltration.
The SolarWinds supply chain attack was unique in that the hackers didn't initiate remote control immediately. Rather, the malware lay dormant for two weeks before initiating contact with a command and control server (a remote session manager for compromised systems also known as C2) via a backdoor.
Each initiated remote connection was a subdomain of avsvmcloud[.]com containing a string that was unique to each victim. This string, which at first glance seemed like a random arrangement of letters, was an encoded identifier of each victim's local network domain.
The graphic below summarises the Solarwinds supply chain attack operation. The overall process of third-party injection, malware deployment, and initiation of data communications via a back door is the basic framework of all supply chain attacks.
The destructive efficiency of nation-state's supply chain attack is evidence of how dangerously vulnerable many businesses are to breaches from their third-party vendors.
Examples of supply chain attacks
Supply chain attacks allow cybercriminals to infect a multitude of victims without having to deploy phishing attacks on each individual target. This increased efficiency has boosted the prevalence of this attack method of late.
Here are some popular examples of supply chain attacks.
U.S government supply chain attack
Date: March 2020
This event will likely be the ubiquitous example of a supply chain attack deep into the future. In March 2020 nation-state hackers penetrated internal U.S government communications through a compromised update from its third-party vendor, Solarwinds.
The attack infected up to 18.000 customers globally including six U.S government departments:
- The Department of Energy
- The National Nuclear Security Administration
- The U.S Department of State
- The U.S Department of Commerce
- The U.S Department of the Treasury
- The Department of Homeland Security
Investigations are still ongoing. It may take months, or even years, to discover the final impact of a cyberattack dubbed by experts as one of the most sophisticated supply chain attacks ever deployed.
Target supply chain attack
Date: February 2014
Target USA suffered a significant data breach after cybercriminals accessed the retailer's sensitive data through a third-party HVAC vendor. Cyber attackers accessed Personal Identifiable information (PII) and financial information impacting 70 million customers and 40 million debit and credit cards.
Attackers breached the HVAC third-party vendor via an email phishing attack.
Equifax supply chain attack
Date: September 2017
Equifax, one of the largest credit card reporting agencies, suffered a data breach via an application vulnerability on their website. The breach impacted over 147 million of Equifax's customers, The stolen sensitive data included social security numbers, drivers license numbers, birth dates, and addresses.
Paradies Papers supply chain attack
Date: November 2017
Confidential offshore investment documents, dubbed as Paradise Papers. were breached via third-party law firm Appleby. The sensitive data exposed 13.4 million investment records of the wealthy 1% including, Donald Trump, Justin Trudeau, Vladimir Putin's son-in-law, and even Queen Elizabeth.
Panama Papers supply chain attack
Date: April 2016
Panamanian law firm Mossack Fonesca, leaked over 2.6 terabytes of sensitive client data in a breach. The breach revealed the devious tax evasion tactics of over 214,000 companies and high ranking politicians.
Law firms tend to be the most desirable cyberattack targets due to the treasure trove of highly sensitive, and therefore highly valuable, customer data they store in their servers.
Supply chain attack statistics
The adoption of this cyber attack method is growing at an alarming rate. According to a study by Symantec, supply chain attacks increased by 78% in 2019. This prevalence is expected to further increase as threat actors, motivated by the success of the US government breach, switch their preference to this attack method.
The cost of supply chain attacks
The financial impact of a supply chain attack could be monumental, regardless of the size of a business. Multiple factors contribute to the resulting cost such as breach investigation efforts, loss of business due to reputation damage, and regulatory fines.
According to a report from IBM and the Ponemon Institute, the average cost of data breaches in 2020 was USD 3.86 million and the average time to identify and contain a reach was 280 days - that's over 9 months.
The average data breach cost in the United State is the highest at USD 8.19 million per breach.
In the United States, the healthcare and financial industries incur the highest data beach costs due to their stricter regulatory requirements for protecting sensitive data.
The average cost per data breach in the healthcare and finance industries is USD 7.13 million and USD 5.56 million respectively.
In addition to regulatory burdens, the high price of data breaches is a result of the prolonged remediation time of each incident. 280 days is about 75% of the year, which is a significant amount of time to pay for additional corrective action while profit margins dwindle, or even, plummet.
The key to driving down costs in the event of a supply chain attack is to have a finely tuned remediation process at hand that can be activated at speed.
Speedy detection and remediation could also minimize the time cyber attackers spend in your ecosystem, which will in turn minimize the amount of compromised sensitive data.
How to mitigate supply chain attacks
The key to mitigating supply chain security risks is to ensure each of your third-party vendors are compliant with the strictest of cybersecurity standards, whether or not regulatory requirements are enforced.
Complacency is the primary impetus to supply chain attack vulnerability. This is partly due to the fact that businesses are unaware of how susceptible even the most trusted vendors are to data breaches.
To keep your third-party vendors compliant, security questionnaires should be sent to each of them on a regular basis to continuously scrutinize their security posture.
Each questionnaire should be tailored to a specific industry and adjusted for each business's unique requirements. You could create the questionnaires yourself or, ideally, instantly populate and send them from a sophisticated third-party risk management solution.
To give your business the best chances of mitigating supply chain attacks, these questionnaires should be sent immediately after noticing a drop in the security score for a particular vendor.
Two-factor authentication could also prevent supply chain attacks. If Vendors activate this security protocol, threat actors will be presented with an additional chasm to cross between themselves and a vendor's internal systems.
UpGuard helps businesses mitigate supply chain attacks
Vendor Risk by UpGuard is the most sophisticated solution for the complete end-to-end management of third-party and fourth-party supply chain risks. The best-in-class cybersecurity platform mitigates supply chain vulnerability in three phases:
All vendors are meticulously scanned for vulnerabilities and given a security score based on over 70 cyber risk factors. With visibility into the most up-to-date security posture of all vendors, organizations can instantly identify any parties that are at risk of a supply chain attack.
2. Assess and remediate
When a vendor's security score drops, they can instantly be scrutinized with a questionnaire from an ever-growing library based on the most secure best practices and regulatory requirements
Prepare a speedy remediation process by assigning roles and responsibilities to key security team members in the event of a security posture strengthening operation. Keep key stakeholders satisfied with your supply chain risk mitigation efforts with comprehensive executive reporting.
Get a free trial of Vendor Risk by UpGuard
Protect your organization from a devastating supply chain attack, CLICK HERE for a FREE trial of Vendor Risk today!