Supply chain attacks occur when a third-party provider of software or hardware is exploited and attackers use this to further infiltrate customers of these providers. A prevalent example of this is the SolarWinds attack. The SolarWinds (SW) attack took advantage of SW’s Orion product which is a network management system, and attackers leveraged this product to deploy a malware to customers through the form of an update, originating from a SW server. This goes to show that some attackers are eyeing bigger fish due to the leverage it holds.
Another major example of this type of attack is ‘NotPetya’. This was developed by Russian hackers and crippled major shipping company Maersk. Russian hackers were able to infiltrate the Ukrainian government and many companies to deploy this malware. The malware ended up being deployed in the Ukrainian power grid which attackers consequently used to shutdown power during the winter and it was also deployed to many Ukrainian companies resulting in major data loss. The primary target for attackers was a group called ‘Linkos Group’ which was a small software company in Ukraine who distributed their products to nearly every business in the country. When the Russian hacker group ‘Sandworm’ infiltrated this company, they used the same method to infect these companies with the malware, through an update which gave them backdoor access to these companies IT infrastructure.
Through those examples we can see an emerging pattern. Attackers are extremely patient, diligent and resourceful individuals who are willing to conduct extensive reconnaissance of a target before developing a plan of attack. By doing this, they are able to identify key targets who they can rely on to distribute their malware to unsuspecting trustworthy customers. They do this to increase their attack surface and their reward is more effective and efficient and the outcome is higher reward with ‘less’ effort. From here, they are able to take a benign task like updating your software and turn it into a distribution method that no one suspects or usually checks.
As a result, it is important to think and analyse every aspect of your IT infrastructure from who is providing the IT products to how its configured as attackers aren’t just target companies or individuals but they are targeting the major providers instead.