For years, cybersecurity experts have been concerned about supply chain hacks since a single attack on a single supplier might produce a chain reaction that compromises a network of providers. Malware is the most common attack method, accounting for 62% of all attacks.
Strong security protection is no longer adequate for enterprises when attackers have already moved their focus to suppliers, according to the latest ENISA research – Threat Landscape for Supply Chain Incidents, which reviewed 24 recent attacks.
The rising effect of these assaults, such as system downtime, monetary loss, and reputational harm, demonstrates this.
In comparison to last year, supply chain assaults are predicted to increase fourfold in 2021. This new trend emphasizes the urgency with which governments and the cybersecurity community must respond. This is why unique defensive measures to avoid and respond to future supply chain threats while reducing their impact must be implemented as soon as possible.
“Through the cascading impact of supply chain assaults, threat actors may wreak significant harm affecting businesses and their consumers all at once,” stated the Executive Director of the EU Agency for Cybersecurity. Member states will be able to achieve a comparable level of capabilities through good practices and coordinated efforts at the EU level, enhancing the EU’s common level of cybersecurity.”
Table of Contents
What does a supply chain entail?
The ecosystem of resources required to create, manufacture, and distribute a product is referred to as a supply chain. A supply chain is cybersecurity consists of hardware and software, cloud or local storage, and distribution techniques.
Why is a high level of cybersecurity insufficient?
Supply chain assaults, which consist of an attack on one or more suppliers followed by an attack on the end target, the client, can take months to complete. In many cases, an attack like this might go unnoticed for a long period. Supply chain assaults, like Advanced Persistence Threat (APT) attacks, are generally focused, complicated, and expensive, with attackers likely preparing ahead of time. All of these factors reflect the enemies’ level of intelligence as well as their determination to succeed.
Even if an organization’s defenses are strong, it might be exposed to a supply chain assault, according to the paper. By targeting suppliers, the attackers are looking for new avenues to enter organizations. Furthermore, because the impact of supply chain assaults on a large number of consumers is nearly endless, these attacks are becoming more widespread.
In around 66 percent of the reported occurrences, attackers concentrated on the suppliers’ code to compromise the targeted customers. This demonstrates the need for organizations to focus their efforts on verifying third-party code and software before utilizing it to guarantee it has not been tampered with or modified.
Customer data, including Personally Identifiable Information (PII) data and intellectual property, was targeted in about 58 percent of the supply chain events investigated.
Suppliers were unaware of or failed to notice how they were hacked in 66% of supply chain hacks investigated. However, only around 9% of consumers who were harmed as a result of supply chain hacks were aware of the incident. This emphasizes the maturity difference between suppliers and end-users when it comes to cybersecurity event reporting.
Recent Supply Chain Attacks Examples:
Several high-profile instances have lately occurred from hacker attacks on supply networks. The systems or software of trusted vendors were hacked in each of the supply chain assault cases below.
2021 Dependency Confusion:
Microsoft, Uber, Apple, and Tesla were all hacked by a security researcher. Alex Birsan, the researcher, took advantage of dependencies, which are used by apps to give services to end-users. Birsan was able to send fake but innocuous data packets to high-profile individuals because of these requirements.
Hackers were able to compromise a security certificate that authenticates Mimecast’s services on Microsoft 365 Exchange Web Services during the Mimecast assault. While just a small percentage of Mimecast’s clients were affected, roughly 10% of the company’s customers utilize apps that rely on the leaked certificate.
The SolarWinds assault was carried out by introducing a backdoor into the Orion IT update tool known as SUNBURST. A total of 18,000 clients have downloaded the backdoor.
According to Symantec experts, the assault against ASUS took the use of an update mechanism and affected as many as 500,000 PCs. An automated update was employed in the attempt to infect consumers’ computers with malware.
A repository within the GitHub system was infected with malware in the event-stream assault. An unknown number of programs were able to access the dependency in the malware repository. While GitHub is not open source, it does provide public backup service and encourages users to share their solutions with others.
In a nutshell, the recommendations are:
At the EU level, implement best practices and participate in coordinated efforts.
Because of the growing interdependencies and sophistication of the tactics deployed, assaults against suppliers may have far-reaching implications. Beyond the financial costs to impacted organizations and other parties, there is a greater cause for worry when sensitive material is leaked and national security is jeopardized, or when geopolitical ramifications are possible.
In this complex supply chain environment, adopting good practices and participating in EU-wide coordinated efforts are both critical to assisting the other Member States in acquiring similar capabilities – and achieving a shared degree of security.
Customers may use the report’s wide list of suggestions to control supply chain cybersecurity risk and manage relationships with suppliers.
Customers should consider the following suggestions:
- Identifying and documenting suppliers and service providers
- defining risk criteria for various types of suppliers and services, such as supplier and customer dependencies, critical software dependencies, and single points of failure
- monitoring supply chain risks and threats;
- managing suppliers throughout the lifecycle of a product or service, including procedures for dealing with end-of-life products or components
- classifying assets and information shared with or accessed by others
- The paper also makes recommendations for how to guarantee that product and service development adheres to security standards. Suppliers should follow best practices for managing vulnerabilities and patches, for example.
Supplier recommendations include:
- ensuring that the infrastructure used to design, develop, manufacture, and deliver products, components, and services adhere to cybersecurity best practices
- implementing a product development, maintenance, and support process that is consistent with commonly accepted product development processes
- monitoring security vulnerabilities reported by internal and external sources, including used third-party components
- and maintaining an inventory of assets that includes patch-relative assets.
In a conclusion, we would like to say that day by day the viruses are getting more and more powerful, and hence there is always a high possibility of a supply chain attack. But along with that the power of cybersecurity is also increasing, hence better protection methods are also being implemented by companies to counter those attacks.