Cybersecurity Deep-Dive: What is a Supply-Chain Attack?

How Do Supply-Chain Attacks Work?

Let me use a famous data breach to exemplify how supply-chain attacks work – the Target attack in 2013:

• In 2013, the US retailer Target suffered one of the largest supply-chain attacks in history
• 40 million debit and credit card numbers of its customers were leaked
• The hackers introduced a malware into the company’s POS system, which spread into more than 1,800 of Target’s stores
• It is estimated that the initial infiltration took place in Target’s third-party supplier of heating, ventilation and air conditioning system (HVAC)
• After infecting the HVAC supplier, they stole passcode credentials that provided them access into Target’s back-end system

This is a classic case of supply-chain attack. The intended victim was Target but the hackers didn’t attack it head-on.

Instead, they went for the unexpected. They attacked a less secure third-party supplier of Target, stole its passcode credentials, and entered Target’s system.

They then installed a malware which spread into almost 2,000 of Target’s nationwide stores, stealing over 40 million credit and debit card numbers.

The reason why this attack was so effective is because it was unexpected. Any company expects to be attacked head-on by hackers, and that’s why they invest so much into robust cybersecurity systems.

But hackers got smart and realized they’d have more success by going after the weakest link in the network – the HVAC supplier in this case.

So, here are the basics of supply-chain attacks:

1. Identify the main target
2. Research its third-party network and supply-chain
3. Identify the most vulnerable third-party in the supply-chain that has access to the main target’s systems
4. Hack the third-party, either obtaining access codes to the main target or placing a worm or malware in a supply product that reaches the main target
5. Gain access to the main target’s systems and proceed with the heist

Five simple steps to hack a company.

This formula seems so simple and yet it is so difficult to counter. That’s mainly because it’s hard to ensure that all your suppliers employ airtight cybersecurity systems.

Cybersecurity is almost always a weakest-link dilemma. A company’s cybersecurity system is as strong as its weakest link.

Even the most robust security solutions fail miserably when the hackers use a moment of inattention from a company employee to steal access credentials, bypassing the security system entirely.

4 Largest Supply-Chain Attacks

I have four infamous supply-chain attacks to tell you about, some of which happened recently. Take a look:

1. SolarWinds

• When: 2020
• What: US government offices and technology organizations worldwide
• How: The hackers created a backdoor into the government’s software update supplier, SolarWinds. More than 18,000 companies and government offices downloaded a Trojan horse that they thought was a regular software update.

The SolarWinds attack emphasizes two core factors behind supply-chain attacks:

• They come from unexpected sources
• They arrive in expected packages

In this case, the attack came from an unexpected source (SolarWinds software supplier) but came in a package everyone expected and trusted (software updates).

None of the government officials had any doubt that what they were installing that day was just another software update. They’d done this a thousand times before. It wasn’t going to be any different this time.

But it was.

Through the backdoor into SolarWinds, the hackers spied on all the organizations who had installed the update, accessed their data, performed data breaches, and more.

2. Kaseya

• When: July 2021
• What: Ransomware attack affecting over 1,000 businesses, with victims in at least 17 countries
• How: Exploitation of Kaseya, a software company that offered software for Managed Security Service Providers (MSPs)

Back in July 2021, the Revil ransomware gang, a known pro-Russian hacker group, hacked Kaseya, a cloud-based managed security services provider.

The company offers client monitoring and patch management for their clients and is also operating on the Cloud.

This was a global-scale supply-chain attack that used a zero-day vulnerability on the Kaseya VSA servers. The company had already known about the vulnerability and were in the process of patching it.

However, REvil managed to exploit the vulnerability before the patch came out, and infected the whole system. They demanded ransoms ranging from $45,000 to $5,000,000.

The hackers distributed an encryption file on the Cloud to all of Kaseya’s customers. They also disabled Microsoft Defender mechanisms where necessary and avoided detection from antiviruses by using an older version of Microsoft’s antivirus.

By utilizing these attack pathways, REvil was able to expand the distribution radius of its ransomware multiple-fold.

3. CodeCov

• When: January 2021
• What: Customer data
• How: Installation of a backdoor into the CodeCov Bash uploader script, resulting in a supply-chain attack spreading to CodeCov’s customers

In short, CodeCov is a software testing organization. They provide code-coverage tools to their customers.

In January 2021, they suffered a data breach where hackers modified their Bash uploader script to redirect customer data and other sensitive information to a private server that they owned.

This attack used the supply-chain formula because the modified script was spread to individual customers of CodeCov as they downloaded it.

The larger attack radius was made possible through the fact that CodeCov acted as a software supplier to its clients.

4. NotPetya

• When: 2017
• What: $10 billion worth of damage worldwide
• How: NotPetya malware infiltrated computers around the world

NotPetya is one of the most infamous cyberattacks in history. It was attributed to Russia by Ukraine, the US, the UK, Canada, and Australia. It was effectively an act of cyber-war.

The malware became well-known after it attacked Mondelez, a multinational food company based out of Chicago. After it infected their systems, the malware disrupted the email systems, file access, and logistics for several weeks.

Mondelez filed an insurance claim for $100 million with their insurer, Zurich. However, the latter refused to pay the insurance citing the fact that NotPetya was a warlike action and thus did not fall under the insurance.

This became the headline of every news station in the world back then. Mondelez took the matter to court and the trial still hasn’t concluded.

While it’s unclear how the malware spread, it’s believed that it was a supply-chain attack.

Prevention Methods Against Supply-Chain Attacks

Supply-chain attacks are not impossible to counter. There are verified methods that mitigate them partially or completely:

1. Zero Trust Architecture (ZTA)

A Zero Trust Architecture relies on the “never trust, always verify” core principle. It assumes that any outward traffic might be malicious, no matter the source.

Therefore, any connection request that wants to access IP (intellectual property) or sensitive data needs to go through a strict verification process.

Only after it passes the verification is the request honored and it gains access to the company’s assets.

Usually, a good ZTA:

• Requires initial authentication for anyone inside or outside the company’s network
• Requires authorization for accessing company files and data
• Requires continuous validation to obtain and retain access to the network

This type of security mitigates lateral movement through the company’s network. So, even if an attacker gains initial access, ZTA ensures that it cannot spread to other systems in the network.

Every system requires its own authorization and validation, including from agents inside the network.

2. Honeytokens

Honeytokens are essentially bait for hackers. They appear as valuable data and will send a network-wide alarm when hackers interact with them.

Their sole purpose is to act as decoys and warn the network administrator that there’s a data breach ongoing.

They’ve proven extremely effective at combating supply-chain attacks and not only. Through honeytokens, a company can learn:

• How the attacker gained access to the system
• What infiltration method they’re using
• What resources the attacker is targeting
• Where the attacker is located and their identity (if they’re not using a firewall)

So, when used correctly (and if the hacker is oblivious enough), honeytokens can prove instrumental in stopping data breaches and capturing the criminal red-handed.

3. Proactive Cybersecurity

Any online business should assume that they will suffer a data breach. It’s not a matter of “if” but a matter of “when”.

This simple change in mentality means that you will implement more proactive security measures instead of relying on defense all the time.

This could mean assessing all possible points of entry into your company’s network, develop mitigation strategies for all vulnerable vectors, and cultivating awareness.

Here’s what you can do proactively:

• Cybercrime awareness training for your employees
• Employ Information Security Policies (ISP) to require validation and approval for access to your internal processes
• Employ the Principle of Least Privilege (POLP) that limits the number of employees who have access to sensitive resources. The less people with access, the more airtight the system becomes
• Use antivirus/antimalware software (ideally premium) to implement a comprehensive security solution that scans for local threats, online threats, unsecure Wi-Fi connections, and so on
• Implement Two-Factor Authentication (2FA) to prevent unauthorized access. According to Microsoft, 2FA could block as much as 99.9% of all automated cyberattacks

Proactivity instead of passivity is the key to a robust solution against supply-chain attacks.

4. Monitoring of Third-Party Collaborators

As I keep saying, your security system is as strong as your weakest link. And often, those weak links are your third-party collaborators.

If they’re small-scale companies, their cybersecurity systems may not be as advanced. Employee cybercrime awareness may be non-existent or limited, or they may have vulnerabilities in their systems.

It’s your job to monitor network vulnerabilities and see whether your vendors might contribute to a data leak through unsecure access channels.

To mitigate this, you should implement a Third-Party Risk Management strategy:

• Identify all your third-party collaborators
• Find out what cybersecurity risks they face
• Identify potential repercussions on your firm if the third parties suffer data leaks
• Implement safeguards that protect your system against that possibility (additional security policies, regular monitoring, regular assessments, etc.)
• Create an incident response plan in case a data breach occurs

Prevention trumps everything when it comes to cyber-threats. You can’t possibly predict when an attack will occur and what infiltration method it’ll be using. What you can do is prepare as best as you can.

5. Network Segmentation

Another easy way of protecting your databases and systems is to segment your network into smaller networks.

Remember, a supply-chain attack works by infiltrating a network and spreading across multiple end-points and software.

By segmenting the network, you effectively limit the spread radius of a malware after the initial access.

There’s also a well-defined method of segmenting your network – you identify your business functions (product development, supply, marketing, social media, etc.) and use that as a basis.

So, you’ll have the overall network split into:

• Product development network segment
• Supply network segment
• Social media network segment
• And so on…

Once a supply-chain attack occurs, it won’t affect your entire network but a part of it, depending on where the initial access took place.

If only your supply network segment was affected, then you can channel all cybersecurity efforts to that part of the network.

Both attack prevention and mitigation become more effective once network segmentation is achieved.

In the best of cases, it can even render supply-chain attacks harmless because it localizes them.

To Sum Up…

Supply-chain attacks are incredibly versatile in their attack patterns. They almost always come from the most unexpected sources, and when you notice the data breach, it’s already too late.

But there are ways to fight against it:

• Zero-Trust Architecture
• Honeytokens
• Proactive Security
• Monitoring of Third-Party Collaborators
• Network Segmentation

Implementing these measures should protect you against the vast majority of supply-chain attacks.

But always assume the worst. It’s only a question of “when”, not “if” you’ll go through a data breach. Cybercriminals are always evolving, the infiltration methods get more insidious, and it’s harder to catch them.

Having an incident response plan ready for when the next infiltration occurs is still the best proactive move you can have!

Sources

RedRiver – Warnings (& Lessons) of the 2013 Target Data Breach
Checkpoint – SolarWinds Sunburst Attack: What Do You Need to Know and How Can You Remain Protected?
Checkpoint – “Kaseya Attack”: Over 1,000 Organizations Globally Attacked on Fourth of July Weekend, Biggest Supply Chain Attack Since Sunburst
GitGuardian – Codecov Supply Chain Breach – Explained Step by Step
Brookings – How the NotPetya Attack Is Reshaping Cyber Insurance
ColorTokens – 10 Reasons Why Enterprises Need Zero Trust Security
CrowdStrike – What Are Honeytokens?
UpGuard – What Is an Information Security Policy?
UpGuard – What Is the Principle of Least Privilege?
HealthITSecurity – Multi-Factor Authentication Blocks 99.9% of Automated Cyberattacks
BlueVoyant – Third-Party Risk Management (TPRM): A Complete Guide
PaloAltoNetworks – What Is Network Segmentation?