Supply chain attacks: Examples and how to defend

When you combine third-party vendors that provide service to multiple enterprises with the sheer volume of data these enterprises possess and subsequently share with their vendors, you end up with a giant target for cybercrime. When you add cybercriminals with arsenals of sophisticated hacking capabilities to that mix, you’re looking at a full-on supply chain attack.

What is a supply chain attack?

Think about a typical work environment; there are multiple third-party vendors and applications used to increase efficiency for things like project management, sales, business operations, and more. To enhance communication beyond phone calls and in-person conversations, companies will probably have an email service, instant messaging application, and video conferencing platform in place. These tools likely won’t be developed in-house, nor will they be exclusively used by one company. Thus, they’re privy to sensitive information from all the organizations they deliver services to. Think of what a cyberattacker could have access to if one were to hack into Gmail.

An enterprise’s supply chain is just like this. It consists of all sorts of moving parts, such as software tools from multiple third-party vendors to help with the development and production of a product. It could also include platforms for payment gateways, API providers, or even hardware. All of these are susceptible to the discreet addition of malicious code, which grants a cyberattacker the same privileges and access to sensitive data as its unsuspecting vendor.

Compromising even a single component can turn a vendor’s product, be it software, an application, or hardware, into a delivery service for sensitive data exfiltration capabilities, and because these attacks are able to fly so well under the radar, it can take a vendor quite some time to even realize what’s happening.

Why do supply chain attacks happen?

With enterprises constantly undergoing digital transformations, they’re becoming increasingly more reliant on third-party providers to make their business processes and supply chains more efficient. These transformations aren’t cheap, so it’s common for companies to opt for low-cost tools whenever they can that’ll get the job done fast. These tools, however, tend to lack quality security infrastructures, which leads to technical debt, or problems you’ll have to go back and fix down the road that are significantly more time-consuming and costly to deal with. When the interest on your debt takes the shape of a supply chain attack, the road to repayment is grueling.

While a supply chain attack is one of the more complex cybercrimes to execute, their efficacy makes the effort worthwhile. Cybercriminals can breach multiple targets at once and exfiltrate massive volumes of valuable data from high-profile enterprises for malicious use, all over an extended period of time, since supply chain attacks are notoriously harder to detect.

What are the consequences of a supply chain attack?

Supply chain vendors often need access to an enterprise’s sensitive data for integration with internal systems. If the vendor is compromised, so is the regulated sensitive data it has access to. Not only do vendors and the enterprises they compromise by proxy face severe financial consequences from loss of business, reputational damage, production delays, and remediation time. They also face steep noncompliance fines.

In 2020, the average cost of a data breach was $3.86 million. Industries regulated by stricter data privacy laws, such as healthcare and finance, saw even higher average costs per breach.

Supply chain attack examples

Target

In November 2013, cybercriminals accessed the personally identifiable information (PII) and payment card data of 70 million Target customers via malware installed onto the company’s customer service database. The cybercriminals employed a phishing email to successfully steal credentials from Target’s HVAC vendor, which is how they were able to gain access to the system.

Target paid $18.5 million for the breach.

British Airways

In September 2018, cybercriminals compromised more than 400,000 (or two week’s worth) of credit card transactions between British Airways and its customers. Not only were names, addresses, and card numbers accessed, but CVVs as well. The company kept many of the attack’s details under wraps, but experts believe malicious code was added to the airline’s payment page that extracted credit card data as customers entered it.

British Airways realized it had been breached two months later. It was fined £20 million ($26 million) for having insufficient security measures for processing large volumes of personal data.

SolarWinds

SolarWinds, an IT software provider to a number of high-profile clients, including several federal institutions, was the third-party vendor at the center of one of the most infamous supply chain attacks in recent years. In December 2020, it was publicly announced that six departments of the U.S. government, as well as 18,000 other global customers, were infected with malware delivered through run-of-the-mill software updates for the company’s Orion platform.

What makes this attack interesting is that SolarWinds was a highly reputable vendor, as can be proved by its client list. In order to provide services to government entities, it must demonstrate high-quality, functional security infrastructures. For hackers to have been able to gain access to the SolarWinds network, bypass authentication, and inject malicious code into multiple software updates released over a three-month timeframe — it’s a testament to the sophistication of present-day supply chain attacks.

While the attack is still being investigated, it’s believed that cybercriminals gained access by testing various username and common password combinations (i.e. “solarwind123”) until something worked. Once the code was injected and victims began updating their software with the corrupted code, the attackers were able to harvest identities and other sensitive information they could use to compromise other accounts.

As of the time of this writing, a fine for this supply chain attack has yet to be determined.

How to prepare for supply chain attacks

When it comes to protecting against supply chain attacks, your mindset needs to shift from “if” to “when.” The reality is, supply chain attacks are inevitable nowadays. There are certainly preventative measures you can implement — for example, SolarWinds could’ve mandated more secure, harder-to-guess passwords — but your overall defense plan should account for steps and actions that minimize a supply chain attack’s impact on your organization when it inevitably happens.

Preventative defense measures

  • Discover sensitive data. You need to be aware of all the data your organization possesses so you know what’s at stake and how to sufficiently protect it.
  • Vet your vendors. Companies need to truly know who their suppliers are to ensure they’re not receiving corrupted software or hardware. Are they complying with the strictest of cybersecurity standards and regulations? They need to be.
  • Adopt an assume breach mentality. You say pessimistic, we say realistic. This approach aims to educate all employees in an organization about data breaches, the shapes they can take, how they work, and how to exercise caution when encountering common breach delivery forms, like questionable emails or links, public or unsecured wifi networks, and sharing user access.
  • Classify sensitive data. When you categorize information based on criteria like its level of sensitivity and risk level, you’re able to then assign necessary access privileges and security measures, while also maintaining regulatory compliance.
  • Implement access controls. This will allow sensitive data to be accessed only by those who require it for their day-to-day job functions. It requires users to authenticate themselves and their devices. As mentioned, an automated data classification tool can help streamline this process.
  • Encrypt all data. If an attacker manages to enter your ecosystem, protecting your data at its source can act as a final line of defense. While encryption doesn’t guarantee that your data will be safe should it fall into malicious hands, the decryption process necessary for it to be valuable can buy you time to identify the breach and begin your response plan, mitigating more severe impacts.

Active defense and response strategies

  • Actively monitor data. A big part of why supply chain attacks wreak so much havoc is the length of time it takes for an organization to realize it’s been attacked. With active monitoring that specifically looks for unauthorized or abnormal behavior within files of data and notifies security teams immediately, you can significantly shorten the amount of time an attacker spends in your environment, minimizing the amount of sensitive data compromised in turn.
  • Implement a quality remediation tool. Supply chain attacks are expensive. By cutting down remediation time with intelligent automation that’s capable of safely quarantining, containing, and disposing of infected data, you may be able to save some money as well.
  • Prepare to share news of the breach. Be prepared to disclose your supply chain attack, as well as all pertinent details, with multiple parties, including executives, legal counsel, and regulatory agencies. In addition to helping with containment and future attack prevention, the more details you can provide to regulatory agencies can potentially lessen your punishment. Most importantly, you’ll need to notify affected customers with accurate and timely information about the attack, and have a plan of action to compensate them for any issues they may face as a result of their data being irretrievably lost.

Supply chain defense starts with Spirion

Spirion’s suite of intelligent data security solutions help to reduce the risk of a supply chain attack and mitigate its impact when the worst happens. Discover, classify, and remediate your sensitive data across endpoint devices and the cloud so it can be appropriately secured, continuously monitored for unusual activity, and made less vulnerable to security threats introduced by third-party vendors. Our solutions also seamlessly integrate with a range of other powerful data security tools to offer maximum levels of protection.

Learn how Spirion helps enterprises safeguard what matters most.