As a business owner or executive, cybersecurity has become a considerable concern you have to pay attention to. The increasing efforts of cyber criminals need to be addressed within your organization to ensure you are mitigating risks and working to prevent a cyberattack.  One particular area that demands attention is Supply Chain Attacks. Supply chain attacks involve targeting vulnerabilities within an organization’s vendor or supplier ecosystem to gain unauthorized access or introduce malicious elements to a network. By exploiting the trust between organizations and their suppliers, threat actors can compromise critical systems, exfiltrate sensitive data, or propagate malware throughout the supply chain.

The ultimate goal of a supply chain attack can vary, ranging from data theft, financial gain, disruption of operations, sabotage, or even espionage. Supply chain attacks can have severe consequences for organizations, their customers, and their investors.

Notable Examples of Supply Chain Attacks

1. Kaseya Ransomware Attack: In July 2021, the Kaseya ransomware attack demonstrated the potential impact of targeting managed service providers (MSPs). Cybercriminals exploited a vulnerability in the Kaseya VSA software, which MSPs commonly use to manage clients’ IT systems. By compromising the MSPs’ infrastructure, the attackers unleashed ransomware on numerous customer networks simultaneously, resulting in widespread disruption.
2. SolarWinds Attack: The SolarWinds attack, discovered in late 2020, sent shockwaves across the cybersecurity landscape. A sophisticated threat actor compromised the software supply chain of SolarWinds, a prominent IT management software provider. This led to the distribution of a tainted software update, granting the attacker unauthorized access to numerous organizations’ networks, including government agencies and corporations.
3. ASUS Live Update Attack: In 2019, hackers exploited the supply chain of ASUS, a well-known computer hardware manufacturer. By compromising the company’s software update mechanism, they distributed a malicious backdoored version of the ASUS Live Update utility to unsuspecting users. This allowed the attackers to gain unauthorized access to affected systems and potentially spy on users.
4. NotPetya Attack: In 2017, the NotPetya attack wreaked havoc globally. It originated from a compromised Ukrainian accounting software called MeDoc, which distributed a malicious update containing the NotPetya ransomware. This attack spread rapidly, affecting organizations worldwide and causing widespread disruption, financial losses, and data destruction.
5. CCleaner Attack: In 2017, popular PC optimization software called CCleaner was compromised by attackers. The attackers manipulated the software’s supply chain and injected malware into the official software updates, potentially affecting millions of users. This incident highlighted the vulnerability of trusted software vendors and the risk posed by compromised updates.

To mitigate the risks associated with supply chain attacks, organizations must implement robust security measures, and establish strong practices and processes that prioritize cybersecurity controls and vigilance throughout their organization and their supply chain.  It is important for businesses to consider the following recommendations which can help to mitigate the risk of a supply chain attack:

1. Rigorous Vendor/Supplier Assessment: Conduct thorough due diligence when onboarding new vendors or suppliers. Assess their security practices, including their vulnerability management, incident response capabilities, and adherence to industry standards.
2. Strong Contractual Agreements: Establish robust contracts that outline security requirements and expectations from vendors or suppliers. Include clauses regarding cybersecurity controls, incident reporting, and the right to audit their security measures.
3. Ongoing Monitoring and Auditing: Implement continuous monitoring of your vendor or supplier ecosystem. Regularly assess their security posture, conduct audits, and track any changes that could introduce potential risks. A one-time vendor assessment will not protect your organization.  Businesses need to establish processes to re-review vendors security measures on an established frequency.
4. Multi-Factor Authentication (MFA): Enforce the use of multi-factor authentication for accessing critical systems and sensitive data. This additional layer of security can help prevent unauthorized access, even if credentials are compromised within the supply chain.
5. Employee Awareness and Training: Educate your employees about the risks associated with supply chain attacks and the importance of practicing good cybersecurity hygiene.  Provide training on identifying phishing attempts, social engineering techniques, and suspicious activities that may indicate a compromised supply chain.  Encourage all employees to report any potential security concerns promptly. As an added precaution, ensure that employees always verify wire information over the phone before sending payments.
6. Incident Response Planning: Develop and test an effective incident response plan that includes supply chain attack scenarios. This ensures a swift and coordinated response to mitigate the impact, minimize downtime, and restore normal operations.

Vigilance is required to ensure partners in your supply chain won’t be an attacker’s point of entry into your network. Every business needs to develop a process of reviewing and re-reviewing supply chain partners and all vendors that they conduct business with.  Maintaining concentration over long periods of time is difficult, but without standardized processes to review supply chain partners most businesses fail to maintain a system that re-evaluates vendors over time leading to increased risks.  

By understanding the reality of supply chain attacks, learning from notable examples, and implementing key protective measures, any organization can bolster its cybersecurity defenses and safeguard its vendor/supplier ecosystem. Stay vigilant, stay prepared, and keep your network secure!

Advanticom recommends all clients conduct a thorough supply chain assessment – if you have not conducted a supply chain assessment you want to begin ASAP and establish a long-term process that structures ongoing audits of each supply chain partner to ensure your business is protected from the external threats of your vendors.  Often as humans, we overlook the capabilities of those we already trust and we expect the best from each other so we fail to complete an audit or assessment and fail to recognize the supply chain risks that exist due to a longstanding relationship with a partner. 

If you have not previously conducted a supply chain or third party risk assessment and need to seek further guidance on process, policies, and best practices, Advanticom can help.  We can provide the framework to complete a supply chain assessment on your own, or we can carry the workload and conduct an assessment on your behalf.