Why organizations struggle to fend off supply chain cyberattacks
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Aïda Amer/Axios
A pair of recent high-profile cyberattacks are putting a spotlight back on a hacking tactic that's growing in popularity.
The big picture: A number of supply chain attacks have already impacted organizations this year — and despite the name, the attacks have nothing to do with better-known trade supply chains.
- Instead, in the cybersecurity world, a supply chain attack refers to a cyberattack on companies' software vendors, or their software supply chain.
How it works: Supply chain attacks often start with hackers targeting a single entity — typically a software provider — in the hopes of accessing information from that organization's customers.
- To do this, malicious hackers will often add malware to the infiltrated product's software updates, build processes or source code to infect customers running the product on their own networks.
- One of the highest-profile recent supply chain attacks was the SolarWinds cyber espionage campaign, where Russian state-backed hackers snuck malware into a routine SolarWinds software update and infected nine federal agencies and at least 100 companies.
Driving the news: Recent headlines surrounding vulnerabilities in the MOVEit file-transfer program and Barracuda Networks' email security hardware have brought the spotlight back to software supply chain attacks.
- In the MOVEit case, a Russian ransomware gang has reportedly targeted federal agencies, state governments and other organizations by exploiting recently discovered security vulnerabilities.
- China-linked hackers are also believed to have targeted hundreds of organizations, including government agencies, through the Barracuda Networks security flaw.
Zoom out: Software supply chain attacks have been gaining traction in recent years.
- In 2021, a ransomware attack on IT management company Kaseya ended up affecting roughly 1,500 organizations.
- Later that year, a flaw in open-source program Log4j likely affected hundreds of millions of devices.
By the numbers: More than 10 million people and more than 1,700 organizations were affected by supply chain attacks in 2022, according to a report from the Identity Theft Resource Center.
Between the lines: Protecting against a software supply chain attack is tricky given that companies often have little visibility into their software vendors' cybersecurity programs.
- When a supply chain attack happens, each affected organization also ends up being reliant on the targeted software provider for information about the threat and patches to protect its systems.
The intrigue: Visibility also isn't as simple as knowing which vendors are on an organization's networks. Companies can also be at risk if there are vulnerabilities in their vendors' own software vendors.
- One example is the recent North Korea-linked 3CX supply chain attack, which researchers at Mandiant have said started as a cyberattack on another platform, X_Trader.
Yes, but: The Biden administration is pushing new initiatives to help bring greater visibility into organizations' networks.
Sign up for Axios’ cybersecurity newsletter Codebook here
