Aitor Azpiroz, Cyber Respond Lead at Holcim EMEA Digital Center, shares with us what supply chain attack is and some examples that show the challenges organizations face and how cyber defences need to be developed and maintained.
WHAT IS A SUPPLY CHAIN ATTACK AND HOW TO PREVENT IT?
Supply chain attack: what is and how it can affect business
In March this year, 3CX, an international VoIP IPBX software developer, announced that its desktop application client had been compromised in a supply chain attack aimed at deploying malware that could have affected any of the 600,000 companies worldwide and over 12 million users that use the application daily.
The European Union Agency for Cybersecurity (ENISA) defines the Supply Chain in cybersecurity as the ecosystem of processes, people, organizations, and distributors involved in the creation and delivery of a final solution or product that involves a wide range of resources (hardware and software), storage (cloud or local), distribution mechanisms (web applications, online stores) and management software.
A supply chain attack is a type of cyberattack that targets a supplier (entity that supplies a product or service to another entity) and its assets, which is then used to attack another supplier or the final customer (entity that consumes the product or service produced by the supplier). Both the supplier and the customer have to be targets.
Historically, and still nowadays, the term supply chain attack has referred to attacks against trusted third-party suppliers breached in order to gain access to their customers. This is what happened in 2013 to Target, a US retail corporation, where the attacker accessed their systems by means of an HVAC contractor account, which ended up with the theft of 40 million credit and debit records and a $18.5 million multistate settlement.
This threat has evolved in recent years and today it also involves software developers and suppliers, given the fact that modern software is written by continuously reusing open source code from public repositories, proprietary code from software vendors and third-party APIs, among others. The attackers break into these developers and repositories in order to change source code and hide malware in build and update processes.
Example of Software Supply Chain attack. Source: ncsc.gov.uk.
Vendors are typically unaware that their apps or updates have been infected with malicious code when they are released, therefore they are signed, certified and trusted by customers in general. The malware will then be run by customers who are unaware of the situation. Hence the risk posed by this threat.
These attacks are characterized by being targeted, complex and costly, and involving long-term planning by the attackers. In order for a supply chain attack to be successful, several breaches are involved and coordinated, which indicates the degree of sophistication of the adversaries, who are usually state-sponsored groups, such as APT29 (Russia) in the Solarwinds attack (2020) and UNC4736 (Korea) in the 3CX attack (2023), or criminal organizations, like REvil Group (Russia), responsible for the Kaseya attack (2021).
Supply chain attack. #1 threat by 2030
On March 2023 ENISA published the “Foresight Cybersecurity Threats for 2030” report, which highlights that supply chain breaches of software dependencies will be the #1 threat by 2030, stating that even with continuous code monitoring, the combination of software, hardware and component-based code will create unmonitored interactions and interfaces that will lead to new and unforeseen vulnerabilities.