Supply Chain Attacks: Examples and Countermeasures
What Is a Supply Chain Attack?
A supply chain attack refers to when someone uses an outside provider or partner that has access to your data and systems to infiltrate your digital infrastructure. Because the outside party has been granted the rights to use and manipulate areas of your network, your applications, or sensitive data, the attacker only has to either penetrate the third party’s defenses or program a loophole into a solution offered by a vendor to infiltrate your system.
Supply chain attacks are diverse, impacting large companies, as was the case with the Target security breach, and typically dependable systems, like when automated teller machine (ATM) malware is used to steal cash. They have also been used against governments, as was the case with the Stuxnet computer worm, which was designed to infiltrate Iran’s nuclear facilities.
Sources of Supply Chain Attacks
Some of the most common sources of supply chain attacks are commercial software, open-source supply chains, and foreign products.
Commercial Software Products
Because hundreds or even thousands of companies may use the same software vendor and solutions, if a supply chain attacker can penetrate a software company’s system or compromise the integrity of their product, they can gain access to a great number of targets.
If hackers are able to install malicious code into software that companies purchase, for instance, they do not have to go through the trouble of hacking the company’s system. Hackers may also try to gain access to penetration tools that software security providers give their clients and use these to gain a foothold in their network.
One way attackers have been able to compromise software is by using compiler attacks. A compiler translates code written in one language into a different programming language. In a compiler attack, the compiler is used to insert malicious code into the translation it produces.
Open-source Supply Chains
With open-source software solutions, anyone can contribute to the development of a program. Using this free access, hackers have programmed vulnerabilities into open-source solutions, making it easy for them to introduce threat to companies that use the software produced.
Even though other members of the development community can see and evaluate the solution produced by perpetrators, they may not know what to look for, allowing hackers to introduce a variety of vulnerabilities.
In countries like China, where the government can exercise deep, granular control over what private companies produce, software products may contain malicious code that the government demanded the producer to include.
The inclusion of these threats does not have to be sanctioned by the government, either. Malicious actors can infiltrate companies and sneak their code into otherwise legitimate products. When these are purchased by other countries, hackers on the other side of the border can have full access to sensitive systems.
How Do Supply Chain Attacks Work?
For a supply chain attack to work, hackers have to insert malicious code into software or find ways to compromise network protocols or components. Once they discover a hacking opportunity, they take advantage of it, gaining access to critical digital resources.
The fact that many of the products that get compromised come from trusted vendors makes it easier for supply chain attackers to penetrate their targets’ systems. They may do so using an application or one of its updates, which, ironically, are often designed to close security loopholes.
Types of Supply Chain Attacks
There are several kinds of supply chain attacks, all of which involve creating or taking advantage of security weaknesses in solutions companies trust. They include:
- Stolen certificates. If a hacker steals a certificate used to vouch for the legitimacy or safety of a company’s product, they can peddle malicious code under the guise of that company’s certificate.
- Compromised software development tools or infrastructure. Hackers leverage the tools for building software applications to introduce security weaknesses in the development process—even before the process is used to create an application.
- Malware preinstalled on devices. Hackers put malware on phones, Universal Serial Bus (USB) drives, cameras, and other mobile devices, and when the target connects it to their system or network, malicious code gets introduced.
- Code included in the firmware of components. Digital hardware is controlled by firmware that helps it run smoothly and interface with users and other systems. Hackers can include malicious code in firmware to gain access to a system or network.
Examples of Recent Supply Chain Attacks
Hackers’ attacks on supply chains have recently resulted in several high-profile incidents. In each of the following supply chain attack examples, the systems or software of trusted vendors were compromised.
Dependency Confusion, 2021
A security researcher was able to breach Microsoft, Uber, Apple, and Tesla. The researcher, Alex Birsan, took advantage of dependencies that applications use to provide services to end-users. Through these dependencies, Birsan was able to transmit counterfeit yet harmless data packets to high-profile users.
In the Mimecast attack, hackers were able to compromise a security certificate that authenticates Mimecast's services on Microsoft 365 Exchange Web Services. While only a relative few were impacted, about 10% of Mimecast’s customers use apps that rely on the certificate that had been compromised.
The SolarWinds attack was orchestrated by injecting a backdoor, known as SUNBURST, into the Orion IT update tool. The backdoor had been downloaded by 18,000 customers.
The attack on ASUS, according to Symantec researchers, took advantage of an update feature and impacted as many as 500,000 systems. In the attack, an automatic update was used to introduce malware to users’ systems.
In the event-stream attack, a repository within the GitHub system was injected with malware. The dependency in the repository containing the malware was accessed by an unknown number of applications. GitHub, while not open source, serves as a backup service to the public, and users are encouraged to share their solutions with others.
Best Practices to Counter Supply Chain Attacks
To fight supply chain attacks, companies can integrate a number of techniques, ranging from addressing issues with their general cybersecurity infrastructure to ensuring endpoints are secured against infiltration.
Audit Unapproved Shadow IT Infrastructure
With shadow IT, the services used by employees are not overseen by the IT department. These can range from security software to communication tools and more. Auditing these may reveal vulnerabilities that supply chain hackers can take advantage of.
Have an Updated and Effective Software Asset Inventory in Place
Each software asset, regardless of how useful it is, introduces a potential vulnerability. With an updated inventory of all the software your company uses, you can better track which apps, updates, and upgrades may present security issues. You can also narrow down the number of potential attack vectors by categorizing your solutions according to how safe they are.
Assess a Vendor’s Security Posture
If you ensure each vendor provides a full description of their security measures, you can get an idea of how safe their products are. You can also have a cybersecurity professional examine the information vendors provide to see if what they have in place is adequate.
Treat Validation of Supplier Risk as an Ongoing Process
A supplier may be safe in Q1 but the source of an attack in Q2. Evaluate the risk presented by each supplier continuously, periodically verifying the safety of each one.
Use Client-side Protection Tools
In a client-server model, users download data provided by a server. With client-side protection tools, you can filter downloaded content, looking for—and stopping—malicious code before it gets installed on a machine on your network.
Use Endpoint Detection and Response Solutions
Supply chain cyberattacks often take advantage of inadequately secured endpoints. With an endpoint detection and response (EDR) system, many types of supply chain attacks can be stopped because the endpoint itself is protected against infection. As a result, the endpoint also cannot be used to spread an attack to other areas of your network.
Deploy Strong Code Integrity Policies To Allow Only Authorized Apps To Run
Code dependency policies consist of rules that dictate whether or not an application is allowed to run. If the code of the application raises a red flag, the system blocks it. Maintaining a strict set of code dependency policies can limit the number of supply chain attacks your company encounters.
In some cases, setting up strict rules may cause legitimate apps to be flagged, but it is always better to be safe than sorry. Invest a little extra time investigating flagged apps.
Maintain a Highly Secure Build and Update Infrastructure
To ensure the builds and updates of your system are secure, have a system in place for regularly installing security patches for your operating systems and the software you run. Also, make sure that only trusted tools can be run on your system. Require multi-factor authentication (MFA) for admins.
Build Secure Software Updates as Part of the Software Development Life Cycle
To ensure secure updaters are a key element of your life cycle, you can:
- Make secure sockets layer (SSL) encryption mandatory.
- Require that everything is signed with a digital signature, including scripts, files, packages, and Extensible Markup Language (XML) files.
- Do not let software accept generic, unsigned input or commands.
Develop an Incident Response Process
Your incident response process should be systematic and incorporate honest and transparent information dissemination. This includes letting internal stakeholders and customers know—in a timely manner—when something has happened, as well as the cause and steps taken to mitigate the problem.
How Fortinet Can Help
Fortinet offers organizations a range of tools to enhance security and enable integration while reducing complexity. These tools include:
- Secure Access Service Edge (SASE) system or FortiSASE Secure Internet Access (SIA)
- Software-defined wide-area network (SD-WAN) solutions
- Intelligence and insight provided by FortiGuard Labs
FortiSASE SIA inspects all internet traffic in the cloud for remote workers and those connecting to cloud services from your business's campus. At the same time, FortiSASE SIA provides fast, efficient access to services housed within your data center for those that need safe, responsive workflows. FortiSASE SIA integrates seamlessly with other Fortinet products and services because it leverages FortiOS behind the scenes.
With the Fortinet SD-WAN offering, you can simplify how traffic is managed, balanced, and monitored—all from a central control interface. With SD-WAN from Fortinet, you can ensure the efficiency and security of your traffic, stopping supply chain attacks before they do any damage using comprehensive single-pane-of-glass access.
FortiGuard Labs is built on artificial intelligence-powered environments that continuously analyze your ecosystem and ensure all products use identical, recent, and relevant security data and insights. With FortiGuard informing your security components, you can interrupt the attack sequence, stopping supply chain assaults, such as ransomware and phishing, from gaining a foothold within your network or endpoints.
How do supply chain attacks work?
For a supply chain attack to work, hackers have to insert malicious code into software or find ways to compromise network protocols or components. Once malicious actors discover a hacking opportunity, they take advantage of it, gaining access to critical digital resources.
What is a supply chain attack?
A supply chain attack refers to when someone uses an outside provider or partner that has access to your data and systems to infiltrate your digital infrastructure.
How can supply chain attacks be prevented?
You can prevent supply chain attacks if you:
- Audit unapproved shadow IT infrastructure
- Have an updated and effective software asset inventory in place
- Assess vendors' security posture
- Treat validation of supplier risk as an ongoing process
- Use client-side protection tools
- Use endpoint detection and response (EDR) solutions
- Deploy strong code integrity policies to allow only authorized apps to run
- Maintain a highly secure build and update infrastructure
- Build secure software updaters as part of the software development life cycle
- Develop an incident response process
How do you detect a supply chain attack?
You can detect a supply chain attack using a monitoring system that flags abnormal behavior on devices and within applications and systems.