During the past couple of years, the number of supply-chain attacks has surged, and they have become one of the most concerning threats to governments, organisations, and individual citizens.
Supply-chain attacks are a particular category of cyberattacks that target and take advantage of vulnerabilities in the IT supply chain.
Today’s digital landscape has grown into a vast network of hardware and software, operating systems, applications, marketplaces and app stores, websites and web applications, cloud computing, algorithms and protocols. Supply-chain attacks target vulnerabilities hidden within this intricate technological fabric.
Traditionally, cyberattacks have been carried out by identifying and exploiting a weak link within the victim’s broader IT infrastructure. Depending on the nature of the attack, the targeted link can be a hardware or software component.
Sometimes, as in the case of social-engineering attacks, attackers may decide to target the human element of a system, for example by tricking an employee into revealing some confidential company information or giving access to a private infrastructure.
In the case of supply-chain attacks, the way of least resistance to penetrate an organisation is not identified within the organisation itself, but rather in one of the products or services that the organisation buys from a third-party vendor.
Supply-chain attacks typically take place in two steps.
First, a particular IT vendor is targeted and some of its systems or products are compromised. Second, the compromised vendor is used by the attacker as a stepping stone (or “attack vector”) to reach the vendor’s customers, their final targets. Sometimes the chain can be longer and multiple products or vendors may be exploited before reaching the final victims.
Similar to other cyberattacks, the objectives behind a supply-chain attack are usually to access confidential information and to take control of IT systems with the ultimate goal of monetary gain, e.g. via some form of ransom or by reselling data on the black market. Some sophisticated attacks deployed by state-level actors may even be driven by political objectives.
Due to their complexity, the amount of resources required, and the level of coordination involved, supply-chain attacks are usually traced back to so-called Advanced Persistent Threat (ATP) actors, i.e. long-standing and well-organised groups.
SolarWinds Orion: the most notorious supply-chain attack
In December 2020 the IT world woke up to one of the most serious examples of supply-chain attacks ever. As revealed in their blog post of 13th December 2020, the security company FireEye had recently discovered a piece of malware that was being distributed as an update for the Orion platform.
Orion, by the American IT company SolarWinds, was marketed as a powerful network and IT infrastructure monitoring software. The product was widely used by an array of international clients from both the private and public sectors, including various government bodies from the US, the EU and the UK, and large IT companies such as Microsoft, Intel, and Cisco.
The attacker had inserted “malicious code into legitimate software updates for the Orion software” that allowed remote access into the victim’s environment.
The scenario exemplified by the Orion attack is as bad as things can get from a cybersecurity perspective. While the actual impact of the attack on its victims inevitably varies on a case-by-case basis, in the most severe circumstances attackers were able to get full undetected control of the victims’ systems.
This means that sensitive data can be stolen, confidential communications monitored, and information’s integrity compromised.
It was estimated that around 18000 Orion customers were affected by the attack. No one knows exactly the extent of the damage, and estimates go from the 90 million USD in insurance claims estimated by a report from CRN.com to other experts who estimated upwards to 100 billion in damages.
One of the reasons behind the growing number of supply-chain attacks can be found in the high reward-vs-effort ratio of these attacks.
A surge in cases
Supply-chain attacks have seen a worrying surge in the past couple of years. The phenomenon is now widely discussed by governments and public bodies all over the world. In an Executive Order released by the US President Biden in May 2021, supply-chain security was identified as vital for “the Federal Government’s ability to perform its critical functions” and was at the centre of numerous action points.
According to the EU Agency for Cybersecurity (ENISA), at least 25 software supply-chain attacks were carried out between January 2020 and July 2021. The agency also predicted a four-fold increase of supply-chain attacks over the course of 2021, and subsequent reports by Revenera and Aqua Security confirmed this trend.
In October 2021, the cybersecurity company BlueVoyant reported the results of a survey that involved around twelve hundred managers responsible for supply-chain and cyber-risk management.
The report confirms that 93% of the surveyed companies had suffered a cybersecurity breach because of weaknesses in their supply chain. 97% of the surveyed companies had been negatively impacted by a cybersecurity breach that occurred in their supply chain.
Worryingly, the average number of breaches experienced in the 12 months leading up to the report’s publication had grown 37% over the previous period.
One of the reasons behind the growing number of supply-chain attacks can be found in the high reward-vs-effort ratio of these attacks. Given how costly compromising one particular supplier can be, this can unlock huge potential in terms of the number of the supplier’s customers that can eventually be targeted.
From an attacker’s point of view, the supply-chain structure can be leveraged as an amplifier, where compromising one individual vendor makes all its customers vulnerable.
How to protect ourselves and our businesses in this increasingly turbulent digital landscape?
In general terms, it is important that all organisations embrace a culture of cyber security. Nowadays, all managers (and one could say, all employees) are expected to have some level of cybersecurity literacy.
Digital threats must be factored into all important decisions. Cybersecurity budgets must be carefully sized in light of the cost of potential security failures. A trove of examples from the recent news illustrates how a casual approach to security can be very costly.
In terms of roles and responsibilities, it is important that all organisations, including small and medium ones, have well-defined cybersecurity roles. This sets the foundation to promote a security culture throughout the organisation.
Clear roles and responsibilities will make it easier to react to an incident should a security breach or a failure occur, and to ensure business continuity.
Nowadays, all managers (and one could say, all employees) are expected to have some level of cybersecurity literacy. Digital threats must be factored into all important decisions.
From a more technical point of view, small and medium organisations should start asking simple questions.
Does my organisation have a systematic and regularly updated inventory of digital assets, such as data, devices, servers, and third-party services? Does the list include who within the organisation can access or is responsible for each particular asset? Has a risk assessment been completed that, for each digital asset, establishes access lists, backup strategies, and encryption requirements? When it comes to business continuity, do we have clear targets in terms of Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO)?
An approach increasingly adopted in business-critical contexts is that of reproducible software, i.e. software whose origin and integrity can be guaranteed by means of cryptographic techniques, which is particularly relevant for the ever-increasing proportion of open-source software dependencies incorporated in practically every organisation’s software system, of which there is often too little awareness.
There are also numerous cybersecurity frameworks that businesses can adopt to guide their cybersecurity approaches. Examples are the Cybersecurity Framework provided by the US National Institute of Standards and Technology (NIST) and the Cyber Assessment Framework from the UK National Cyber Security Centre (NCSC). While different frameworks have different nuances and strengths, any framework is probably better than no framework at all.
If your organisation does not have one in place and relies on a custom-made approach alone, this might need some rethinking.
More often than not, security is a matter of common sense. However, in a context where digital technologies and cyber threats evolve so rapidly, organisations need to make a conscious effort and carefully think through their approach to security. It is an investment made today that will most certainly pay for itself in the future.
Fabio Natali is a London-based software architect, information security advisor, and consultant. His interests lie at the intersection of technology, ethics, and politics. As an information security consultant, he has worked with and provided support to numerous investigative journalists and human rights organisations in the UK and abroad. Fabio is a co-founder and director of Reckon Digital, a London-based software company specialising in data science and process optimisation.
Gabriel Scali is a computer scientist and innovator specialising in Artificial Intelligence and Cognitive Computing. In addition to teaching at ESCP, he leads research investigating the cognitive collaboration between intelligent agents and humans at Brunel University. A Senior Member of the Association for Computing Machinery and research evaluator for the EU Research Programme, Gabriel is a co-founder and director of the London-based software company Reckon Digital, specialising in data science and process optimisation.