Mar 22, 2018

Hackers hit software supply chains more in 2017 than prior two years combined

A computer user points at a system infected with the NotPetya malware

A computer user points at the word "Bitcoin" in ransom message associated with the NotPetya malware. Photo: Donat Sorokin\TASS via Getty Images.

Hackers dramatically increased the number and scope of attacks on software manufacturers as a way to attack user machines in 2017, according to a new report by Symantec. "When you look at the numbers, it's no longer one off attacks," Kevin Haley, director of Symantec Security Response, told Axios.

Why it matters: The NotPetya malware was devastating internationally, costing the shipping giant Maersk $300 million dollars alone. It spread so quickly because it was attached to an update for widely used Ukrainian accounting software. This type of attack, where malware is placed in software before it is downloaded from the manufacturer, is known as a supply chain attack and are particularly tough for users to defend against.

By the numbers: According to Symantec's new Internet Security Threat Report, there was an average of three reported supply chain attacks attacks per year from 2013 through 2015. There were 10 in 2017, up from three in 2015 and four in 2016.

Larger in scope: While past supply chain attacks focused on niche software, like the software used in industrial machinery, 2017 saw two gigantic attacks. NotPetya was one, while a second targeted the popular CCleaner file cleaning software.

A siege of nations: Supply chain attacks are difficult to pull off and frequently the domain of nations and other highly-adept groups. "It certainly takes a level of sophistication - not common cyber criminals," said Haley. The White House believes NotPetya was launched by the Russian Government, while many researchers believe CCleaner was a product of China.

Go deeper