Supply Chain Attacks

A supply chain attack is a type of cyberattack that targets organizations by compromising a 3rd party in their supply chain. Typically this would be a software service or vendor, but it could also be service providers or even hardware manufacturers. These attacks exploit the trust that organizations have built up in their suppliers, making it easy to slip through the cracks. Attackers exploit these opportunities to steal data, install malware, or disrupt operations.

This article will look at the different types of supply chain attack and some recent real-life examples.

Third-Party Software Attacks

Third-party software attacks exploit vulnerabilities in software applications or components developed by external vendors. These vendors often provide essential services or tools that are integrated into an organization’s systems or applications. Attackers target these third-party software components to gain access to the systems of organizations that rely on them. This can be achieved by various means, such as:

• Compromising the software development process: Attackers may infiltrate the vendor’s development environment, inject malicious code into the software during development, or compromise build systems to insert backdoors.
• Exploiting vulnerabilities in existing software: Attackers may discover and exploit vulnerabilities in publicly released software versions. This allows them to deliver malware, steal data, or gain unauthorized access to systems where the software is deployed.
• Compromising software updates: Attackers may tamper with software updates or patches, inserting malicious code that is then distributed to users. When users install these compromised updates, their systems become vulnerable.

Recent Examples

• SolarWinds Attack (2020): Attackers compromised SolarWinds’ Orion network management software, distributing malicious updates to thousands of organizations, including government agencies and Fortune 500 companies.
• CCleaner Attack (2017): The popular system cleaning tool CCleaner was compromised, with attackers inserting malware into legitimate software updates. Millions of users were affected.
• NotPetya Attack (2017): Although primarily a ransomware attack, NotPetya spread rapidly through compromised software updates for a Ukrainian accounting software called M.E.Doc.

Hardware Attacks

Hardware attacks involve the physical manipulation or compromise of hardware components within the supply chain. These attacks can occur at various stages, from manufacturing and distribution to deployment and maintenance. Attackers may tamper with hardware to:

• Insert malicious components: Attackers may introduce malicious chips or circuitry into hardware devices during manufacturing. These malicious components can be used to steal data, control the device’s functionality, or launch further attacks.
• Modify firmware: Attackers may alter the device’s firmware (low-level software embedded in the hardware) to introduce vulnerabilities, create backdoors, or manipulate its operation.
• Counterfeit hardware: Attackers may create counterfeit hardware components that appear legitimate but contain malicious functionality. These counterfeit components can then be introduced into the supply chain, replacing genuine parts.
• Exploit physical access: Attackers with physical access to devices may tamper with them directly, installing malware or modifying hardware components. Hardware attacks are often more challenging to detect and mitigate than software attacks, as they bypass traditional security software and require specialized tools and expertise to identify.

Recent Examples

• Exploding Devices in Lebanon: In September 2024, thousands of pagers and walkie-talkies exploded across Lebanon, targeting Hezbollah members. It is believed the devices had been supplied by a Hungarian company which was manufacturing the devices under licence by a Taiwanese manufacturer. This underscores the vulnerability of complex manufacturing supply chains and the potential for devastating consequences.
• Supermicro server attack (alleged): Reports claimed that servers manufactured by Supermicro contained malicious chips implanted during the manufacturing process in China. These chips were allegedly designed to provide attackers with remote access and data exfiltration capabilities.
• USB drive attacks: Malicious USB drives can be used to deliver malware, steal data, or even destroy hardware when plugged into a computer.
• Bluetooth vulnerabilities: Vulnerabilities in Bluetooth protocols have been exploited to gain unauthorized access to devices and data.

Data Flow Attacks

Data flow attacks focus on exploiting vulnerabilities in how data is transmitted and processed. These attacks aim to intercept sensitive information, manipulate data in transit, or disrupt the flow of data altogether. Attackers can achieve this through various methods, such as:

• Man-in-the-middle (MitM) attacks: Attackers position themselves between two parties communicating within the supply chain, intercepting and potentially manipulating data exchanged between them. This can allow them to steal sensitive information, inject malicious code, or alter data to disrupt operations.
• Compromising communication channels: Attackers may exploit vulnerabilities in communication protocols or infrastructure to gain unauthorized access to data transmitted between organizations in the supply chain. This could involve compromising email servers, intercepting network traffic, or exploiting weaknesses in APIs used for data exchange.
• Data breaches at third-party providers: If a supplier storing or processing sensitive data suffers a data breach, it can expose the data of other organizations within the supply chain. This can lead to significant financial losses, reputational damage, and legal liabilities.
• Data manipulation: Attackers may tamper with data in transit or at rest, altering critical information to disrupt operations, cause financial harm, or spread misinformation. This can involve modifying orders, invoices, financial records, or other sensitive data.
• Data flow attacks can be particularly challenging to detect and prevent, as they often exploit vulnerabilities in complex, interconnected systems and processes.

Recent Examples

• The 2013 Target breach: Attackers gained access to Target’s systems by compromising a third-party HVAC vendor. This allowed them to steal credit card information and personal data from millions of customers.
• The 2014 Home Depot breach: Similar to the Target breach, attackers compromised a third-party vendor to gain access to Home Depot’s network, resulting in the theft of millions of credit card numbers and customer data.
• Man-in-the-middle attacks on financial transactions: Attackers have used MitM attacks to intercept and manipulate financial transactions, diverting funds to their own accounts or altering transaction details.

Insider Threats

Insider threats involve individuals within a supplier’s organization who misuse their authorized access, either intentionally or unintentionally, to negatively impact the security of the supply chain. These individuals can be current or former employees, contractors, or business partners who have access to sensitive information, systems, or facilities.

Types of Insider Threats:

• Malicious Insiders: These individuals deliberately exploit their access for personal gain or to cause harm to the organization. They may steal data, sabotage systems, introduce malware, or disrupt operations. Motivations can include financial gain, revenge, or ideology.
• Negligent Insiders: These individuals unintentionally compromise security through carelessness, poor security practices, or lack of awareness. They may fall victim to phishing scams, use weak passwords, or mishandle sensitive data.
• Compromised Insiders: These individuals have their accounts or credentials compromised by external attackers. This allows attackers to operate within the organization’s systems under the guise of a legitimate user. Insider threats can be particularly challenging to detect and mitigate, as they involve individuals who are trusted and have legitimate access to systems and data.

Recent Examples

• Tesla Insider Sabotage (2018): A disgruntled employee at Tesla intentionally sabotaged the company’s manufacturing operating system and exfiltrated sensitive data.
• Coca-Cola Data Theft (2017): A former employee of Coca-Cola stole confidential data, including trade secrets and financial information, and attempted to sell it to a competitor.
• Edward Snowden Leaks (2013): A former National Security Agency (NSA) contractor leaked classified information about government surveillance programs, highlighting the potential damage that insider threats can cause.

Targeted Attacks

Targeted attacks are precisely what they sound like – attacks aimed at a specific organization, often with a high degree of planning and sophistication. Instead of casting a wide net, attackers carefully select their victim and tailor their approach to exploit specific weaknesses within that organization’s supply chain.

Key Characteristics:

• Focused Reconnaissance: Attackers invest time and resources to gather information about the target organization, their suppliers, and their security practices. This may involve analyzing public information, social engineering, and even infiltrating less secure partners in the supply chain to gain access to the ultimate target.
• Exploiting Trust Relationships: Attackers often exploit the inherent trust between organizations and their suppliers. By compromising a trusted partner, they can bypass security measures and gain access to the target’s systems or data.
• Multi-Stage Attacks: Targeted attacks often involve multiple stages, starting with initial compromise of a supplier and progressing through the supply chain to reach the final target. This allows attackers to maintain persistence and evade detection.
• Variety of Techniques: Attackers may employ a combination of techniques, including social engineering, phishing, malware delivery, exploitation of vulnerabilities, and even physical intrusion, to achieve their objectives. Targeted attacks are often associated with advanced persistent threats (APTs), which are typically carried out by nation-state actors or highly skilled cybercriminals with specific goals, such as espionage, intellectual property theft, or sabotage.

Recent Examples

• Target Breach (2013): Attackers gained access to Target’s systems by compromising a third-party HVAC vendor. This allowed them to steal credit card information and personal data from millions of customers.
• Operation Aurora (2009): A series of cyberattacks, allegedly originating from China, targeted Google and several other major tech companies. The attackers aimed to steal intellectual property and access sensitive information.
• Stuxnet (2010): A sophisticated worm, believed to have been developed by the US and Israel, targeted Iran’s nuclear program. Stuxnet exploited vulnerabilities in industrial control systems to disrupt uranium enrichment centrifuges.

Watering Hole Attacks

Watering hole attacks are a strategic form of cyberattack where malicious actors compromise websites frequently visited by their intended victims. These websites act as the “watering hole,” attracting unsuspecting users like animals gathering for a drink. Once a user visits the compromised site, their system can be infected with malware, giving attackers a foothold into their organization’s network.

How they work:

• Target Selection: Attackers identify a specific group or organization they want to compromise.
• Watering Hole Identification: They research websites, forums, or online platforms commonly used by this group.
• Website Compromise: Attackers exploit vulnerabilities in the chosen website to inject malicious code or redirect users to malicious sites.
• Infection: When users visit the compromised site, their systems are infected with malware, often without their knowledge.
• Further Exploitation: The malware may grant attackers remote access, steal data, or spread to other systems within the organization. Watering hole attacks are particularly effective because they exploit trust. Users are more likely to let their guard down when visiting familiar and seemingly safe websites.

Recent Examples

• NotPetya Attack (2017): Attackers compromised a Ukrainian accounting software provider, spreading the NotPetya ransomware to organizations that used the software.
• Operation Aurora (2009): This attack targeted Google and other major tech companies by compromising websites frequented by their employees.
• Council on Foreign Relations Attack (2013): The Council on Foreign Relations website was compromised to deliver malware to visitors interested in foreign policy.

npm Attacks

npm (Node Package Manager) is the default package manager for Node.js, a popular JavaScript runtime environment. npm hosts a vast registry of open-source software packages that developers rely on to build web applications, tools, and libraries. However, this reliance on third-party code creates a potential attack vector for malicious actors.

npm attacks exploit vulnerabilities in the npm ecosystem to compromise software supply chains. These attacks can take various forms, including:

• Malicious Package Injection: Attackers publish packages containing malicious code to the npm registry. These packages may masquerade as legitimate tools or exploit typosquatting (using names similar to popular packages) to trick developers into installing them. Once installed, these packages can execute malicious code, steal data, or compromise systems.
• Compromised Accounts: Attackers gain unauthorized access to the accounts of legitimate package maintainers. They then inject malicious code into existing packages or publish new malicious packages under the guise of a trusted developer.
• Dependency Confusion: Attackers exploit naming conventions and internal package repositories to trick developers into installing malicious packages instead of legitimate ones. This can happen when internal package names conflict with public package names, allowing attackers to “hijack” the dependency resolution process.
• Exploiting Vulnerabilities in Dependencies: Attackers identify and exploit vulnerabilities in existing npm packages. By compromising a widely used package, they can potentially compromise numerous applications that depend on it. npm attacks can have far-reaching consequences, compromising software applications, development pipelines, and even end-user systems.

Recent Examples

• Typosquatting campaign (2024): Attackers published hundreds of malicious npm packages with names similar to popular JavaScript libraries. These packages were designed to steal credentials and sensitive information from developers’ systems.
• jest-fet-mock attack (2024): A malicious npm package called jest-fet-mock targeted developers with multi-platform malware that used Ethereum smart contracts for command-and-control operations.
• North Korean npm campaign (2024): North Korean-linked threat groups launched a campaign targeting the npm ecosystem, publishing malicious packages designed to infiltrate developer environments and steal sensitive data.

Third-Party Script Attacks

Third-party scripts are code snippets that website owners embed into their webpages to add functionality, enhance user experience, or collect data. These scripts are often hosted on external servers and provided by third-party vendors specializing in services like analytics, advertising, social media integration, and user interface design. While these scripts offer significant benefits, they also introduce potential security risks.

Third-party script attacks exploit vulnerabilities in these scripts or their delivery mechanisms to compromise website security and user data. Attackers may:

• Inject malicious code into legitimate scripts: Attackers can compromise the servers hosting these scripts or exploit vulnerabilities in the script code itself to inject malicious functionality. This allows them to steal user data, redirect visitors to malicious websites, or even take control of the website.
• Compromise the supply chain: Attackers may target the third-party vendors providing these scripts, compromising their systems or development processes to inject malicious code into the scripts before they are distributed to websites.
• Exploit vulnerabilities in content delivery networks (CDNs): Many third-party scripts are delivered through CDNs, which can be a target for attackers. By compromising a CDN, attackers can distribute malicious versions of scripts to a large number of websites.
• Abuse legitimate functionality: Some third-party scripts have access to sensitive user data or website functionality. Attackers may exploit this access to steal information, manipulate website content, or launch further attacks.
• Third-party script attacks can be challenging to detect and mitigate, as website owners often have limited control over the code and security practices of third-party vendors.

Recent Examples

• British Airways breach (2018): Attackers compromised a third-party script used on the British Airways website to steal credit card information from thousands of customers.
• Ticketmaster breach (2018): A third-party script used on the Ticketmaster website was compromised, allowing attackers to steal payment card details and personal information from customers.
• Magecart attacks: A group of cybercriminals known as Magecart has been responsible for numerous attacks targeting third-party scripts used on e-commerce websites to steal credit card information.
• Polyfill.io Compromise (2024): In June 2024, it was reported that over 110,000 websites were potentially affected by the compromise of Polyfill.io, a popular service that provides polyfills for web developers. After being acquired by a Chinese company, the service was modified to redirect users to malicious websites, potentially exposing them to malware or phishing attacks. This incident highlights the risks associated with relying on third-party scripts, especially those involved in providing core web functionality, and the importance of carefully vetting providers and implementing security measures like Subresource Integrity (SRI).