Why organizations struggle to fend off supply chain cyberattacks

A pair of recent high-profile cyberattacks are putting a spotlight back on a hacking tactic that's growing in popularity.

The big picture: A number of supply chain attacks have already impacted organizations this year — and despite the name, the attacks have nothing to do with better-known trade supply chains.

• Instead, in the cybersecurity world, a supply chain attack refers to a cyberattack on companies' software vendors, or their software supply chain.

How it works: Supply chain attacks often start with hackers targeting a single entity — typically a software provider — in the hopes of accessing information from that organization's customers.

• To do this, malicious hackers will often add malware to the infiltrated product's software updates, build processes or source code to infect customers running the product on their own networks.
• One of the highest-profile recent supply chain attacks was the SolarWinds cyber espionage campaign, where Russian state-backed hackers snuck malware into a routine SolarWinds software update and infected nine federal agencies and at least 100 companies.

Driving the news: Recent headlines surrounding vulnerabilities in the MOVEit file-transfer program and Barracuda Networks' email security hardware have brought the spotlight back to software supply chain attacks.

• In the MOVEit case, a Russian ransomware gang has reportedly targeted federal agencies, state governments and other organizations by exploiting recently discovered security vulnerabilities.
• China-linked hackers are also believed to have targeted hundreds of organizations, including government agencies, through the Barracuda Networks security flaw.

Zoom out: Software supply chain attacks have been gaining traction in recent years.

• In 2021, a ransomware attack on IT management company Kaseya ended up affecting roughly 1,500 organizations.
• Later that year, a flaw in open-source program Log4j likely affected hundreds of millions of devices.

By the numbers: More than 10 million people and more than 1,700 organizations were affected by supply chain attacks in 2022, according to a report from the Identity Theft Resource Center.

Between the lines: Protecting against a software supply chain attack is tricky given that companies often have little visibility into their software vendors' cybersecurity programs.

• When a supply chain attack happens, each affected organization also ends up being reliant on the targeted software provider for information about the threat and patches to protect its systems.

The intrigue: Visibility also isn't as simple as knowing which vendors are on an organization's networks. Companies can also be at risk if there are vulnerabilities in their vendors' own software vendors.

• One example is the recent North Korea-linked 3CX supply chain attack, which researchers at Mandiant have said started as a cyberattack on another platform, X_Trader.

Yes, but: The Biden administration is pushing new initiatives to help bring greater visibility into organizations' networks.

Sign up for Axios’ cybersecurity newsletter Codebook here