Kamil Fedorko, Global Cybersecurity Practice Leader at Intellias, discusses the escalating threat of supply chain attacks and emphasises the need for comprehensive defense strategies to mitigate risks.
Supply chain attacks remain one of the most serious threats to cyber security that exist today. With the number of attacks increasing by nearly 750% per year between 2019-2022, it’s clear that threat actors have identified increasingly integrated digital supply chains as an extremely effective and lucrative way to gain access to networks and data.
The main challenge lies in securing what can be extremely complex supply chains, not least because vulnerabilities can be introduced or exploited by threat actors at any stage. Typically, these attacks succeed when cyber criminals manage to infiltrate technology infrastructure indirectly by exploiting weaknesses in less secure suppliers, vendors, or partners of the actual target organisation.
Although the concept of attacking digital supply chains has been around for many years, incidents only started gathering significant attention following the massive SolarWinds breach in 2020, which impacted thousands of public and private sector organisations globally. This was followed by many more breaches, such as those involving Kaseya and Quanta in 2021 and high-profile attacks on Okta and Kojima Industries Corp last year, which collectively are estimated to have cost around $60bn.
A closer look at the significant incidents that have taken place this year reveals the extensive damage a single vulnerability can cause. The MOVEit flaw, identified in June, set off a series of major breaches, incurring costs of nearly $10bn for businesses and impacting over 1,000 organisations.
It also underlined a strategic shift in criminal tactics, with perpetrators increasingly focusing on supply chains rather than individual companies, adopting broader, less targeted approaches in the process.
For many threat actors, it makes more sense to compromise the entire underlying platform rather than a single element because it has the potential to yield significantly greater results. Attacking a virtualiser, for example, which governs numerous Virtual Machines (VMs) is more effective than targeting a single VM, while it’s more effective to bypass the login of an enterprise server than to target an individual employee.
Dissecting the threat and escalating dangers
Supply chain attacks can generally be divided into two overall types: macro and micro attacks. Macro attacks target widely used corporate systems, such as the MOVEit file transfer technology, and are responsible for many of the most notable and harmful incidents in recent times. Micro attacks, however, focus on specific technologies, like open-source repositories where access is public.
Despite macro attacks being used in the most high-profile supply chain breaches, the risks posed by micro attacks are equally important. Vulnerabilities in services and software, such as Log4Shell, ProxyLogon, Spring4Shell, Confluence RCE, and ICMAD SAP, may not traditionally be viewed as supply chain attacks.
However, entities like Advanced Persistent Threat (APT) groups and government-backed hacking units often exploit these more targeted vulnerabilities with significant success.
Put this all together, and it’s easy to understand why the use of advanced ransomware and malware in supply chain attacks continues to grow.
In addition, threat actors are now using sophisticated languages, such as RUST and GO, in malware payloads which contributes to a higher attack success rate. Even more concerning for security and IT teams is that almost all ransomware infiltrations take less than four hours to execute, with the fastest attacks taking control of systems in less than 45 minutes, according to industry data.
Once control has been lost, recovery can be extremely difficult, with one study suggesting that of those organisations that went as far as paying the ransom demand, only 52% were able to fully recover their encrypted files.
Defences to avoid the headlines
Given the risks, therefore, organisations that might be exposed to supply chain vulnerabilities need to take a series of steps to close security blind spots. These include a comprehensive approach to software updates and patches, which can help minimise the risks associated with zero-day threats and micro attack strategies.
Systems should also be closely monitored for Indicators of Compromise (IOCs) that may point towards attacks originating elsewhere in the organisational supply chain. This level of diligence can be further reinforced by the implementation of a zero-trust approach to cyber security, which can play an important role in preventing lateral movement within connected supply chains from one organisation to another.
Supply chains can also be vulnerable to security weaknesses relating to remote access, cloud admin consoles, and VPNs, which benefit from increased authentication technologies and processes.
Should an incident occur, however, the ability of organisations to recover largely depends on their backup, recovery, and incident response policies and technologies which, ideally, will allow them to quickly restore systems without significant delay or the need to consider a ransomware payment.
Looking ahead, as supply chains continue to become more digitally integrated, it’s clear that threat actors will retain their interest in the vulnerabilities these complex systems can create.
Without adequate strategic investment and a clear focus on prevention, mitigation, and recovery, it’s inevitable that more organisations will find themselves in the headlines as the source or victim of a successful supply chain attack.
