Jun 23, 2023 - Technology

Why organizations struggle to fend off supply chain cyberattacks

illustration of a ball and chain but in hot air balloon form

Illustration: Aïda Amer/Axios

A pair of recent high-profile cyberattacks are putting a spotlight back on a hacking tactic that's growing in popularity.

The big picture: A number of supply chain attacks have already impacted organizations this year — and despite the name, the attacks have nothing to do with better-known trade supply chains.

  • Instead, in the cybersecurity world, a supply chain attack refers to a cyberattack on companies' software vendors, or their software supply chain.

How it works: Supply chain attacks often start with hackers targeting a single entity — typically a software provider — in the hopes of accessing information from that organization's customers.

  • To do this, malicious hackers will often add malware to the infiltrated product's software updates, build processes or source code to infect customers running the product on their own networks.
  • One of the highest-profile recent supply chain attacks was the SolarWinds cyber espionage campaign, where Russian state-backed hackers snuck malware into a routine SolarWinds software update and infected nine federal agencies and at least 100 companies.

Driving the news: Recent headlines surrounding vulnerabilities in the MOVEit file-transfer program and Barracuda Networks' email security hardware have brought the spotlight back to software supply chain attacks.

Zoom out: Software supply chain attacks have been gaining traction in recent years.

By the numbers: More than 10 million people and more than 1,700 organizations were affected by supply chain attacks in 2022, according to a report from the Identity Theft Resource Center.

Between the lines: Protecting against a software supply chain attack is tricky given that companies often have little visibility into their software vendors' cybersecurity programs.

  • When a supply chain attack happens, each affected organization also ends up being reliant on the targeted software provider for information about the threat and patches to protect its systems.

The intrigue: Visibility also isn't as simple as knowing which vendors are on an organization's networks. Companies can also be at risk if there are vulnerabilities in their vendors' own software vendors.

  • One example is the recent North Korea-linked 3CX supply chain attack, which researchers at Mandiant have said started as a cyberattack on another platform, X_Trader.

Yes, but: The Biden administration is pushing new initiatives to help bring greater visibility into organizations' networks.

Sign up for Axios’ cybersecurity newsletter Codebook here

Go deeper