Supply Chain Attack is a type of cyberattack that target less-secure elements in the supply chain of an organization rather than attacking the organization directly.
Table of Contents
Supply Chain Attack
In recent years, supply chain attacks have caused damage across the globe. A supply chain attack is a type of cyberattack that targets the trusted relationships between organizations, using one compromised partner as a stepping-stone to infiltrate other. The goal is to infiltrate an organization’s network or systems by compromising a third-party vendor, supplier, or partner that has access to its data, software, or network infrastructure.
The hallmark of a supply chain attack is that it allows attackers to indirectly infiltrate systems by first compromising less secure parts of an organization's supply chain, such as third-party vendors. Since these third parties are embedded in daily operations, it makes it easier for attackers to go unnoticed until significant damage has already been done.
Key Characteristics of Supply Chain Attacks
Indirect Approach
Instead of attacking the target organization directly, attackers compromise a trusted third party, such as a software provider, hardware supplier, or service contractor. This third party then becomes a conduit for delivering the malicious payload to the final target.
Complexity and Scale
Supply chain attacks can be complex, involving multiple stages and affecting a large number of organizations. The attackers may insert malicious code or hardware at different stages of the supply chain, making detection difficult.
Trust Exploitation
These attacks exploit the trust relationships between an organization and its suppliers. Since third-party vendors often have privileged access to an organization’s systems or sensitive data, they become an attractive target for attackers.
Widespread Impact
The impact of a supply chain attack can be significant, affecting not just the primary target but potentially thousands of other organizations that rely on the compromised third party.
Types of Supply Chain Attacks
Supply chain attacks can be categorized into three types based on their point of origin:
Software supply chain attacks
A software supply chain attack involves compromising the processes used to develop or deliver software in order to insert malicious code into the software itself or its update programs. This allows attackers to infiltrate target organizations through seemingly legitimate software.
Common attack vectors include open-source code, system administration tools, and commonly used applications. Instead of breaching a company directly, attackers typically begin by breaching the systems of a trusted third-party software provider company that develops the software or hosts its downloads. From there, they leverage update servers or distribution channels to deliver compromised versions to unsuspecting users.
If the compromised software is widely used, the attacker can potentially trigger a large-scale, high-impact attack affecting numerous organizations at once.
Service supply chain attacks
A service supply chain attack targets service providers, such as Managed Service Providers (MSPs), and uses their trusted access to deploy malware across multiple customer environments.
A well-known example is the 2021 ransomware attack involving Kaseya VSA, a remote IT management service. Attackers compromised MSPs using Kaseya VSA, and then spread ransomware to many of their downstream customers. Since MSPs are entrusted with managing and operating client networks, attackers can use them as distribution points for malware like ransomware.
In this case, the attack exploited the nature of MSP services, affecting both the MSPs using Kaseya VSA and their clients, who relied on those MSPs. The large-scale impact was significant, as reports estimated that up to 1,500 companies were affected by the ransomware attack.
Business supply chain attacks
Business supply chain attacks target the broader ecosystem of partners, vendors, logistics providers, and suppliers that enable day-to-day operations, using those relationships to infiltrate the primary target organization.
This method has become so common that it can now be considered a standard tactic for gaining access to organizations.
Trend Micro has consistently observed cyberattack groups such as Earth Hundun (also known as BlackTech) and Earth Tengshe (linked to APT10) compromising overseas branches of companies first, and then using that access to infiltrate their primary domestic operations, which are the actual intended targets.
Categories of Supply Chain Attacks
- Compromised Software Updates: Attackers inject malicious code into software updates that are distributed to a large number of users.
- Compromised Third-Party Software Libraries: Insertion of malicious code into third-party libraries or dependencies that are integrated into legitimate software products.
- Compromised Hardware or Firmware: Insertion of malicious hardware components or firmware into products during the manufacturing or distribution process.
- Hijacking Developer Tools: Compromising the tools used by developers, such as Integrated Development Environments (IDEs) or Continuous Integration/Continuous Deployment (CI/CD) pipelines.
- Compromised Software Dependencies: Injecting malicious code into legitimate software dependencies that are widely used.
- Data Exfiltration via Exploited Protocols: Exploiting vulnerabilities in protocols like SMB, TLS, SSH, or directly targeting databases through methods like SQL injection to exfiltrate data.
- Targeting Open Source Projects: Attacking open-source projects that are widely used, inserting malicious code that can affect many downstream projects.
Examples of Supply Chain Attacks
SolarWinds Attack (2020)
Attackers infiltrated SolarWinds’ Orion software update mechanism, delivering malicious updates to over 18,000 customers, including government agencies and major corporations.
Resource: CISA Alert on SolarWinds
RockYou2024 (2024)
The “RockYou2024” password leak, where nearly 10 billion previously compromised credentials were compiled and posted on a hacking forum, highlights the significant supply chain risk posed by the aggregation, reuse, and public exposure of breached credentials across multiple platforms and services.
Resource: Nearly 10 Billion Passwords Leaked in Biggest Compilation of All Time
Large Language Models (LLMs) and Public Chatbots (2024)
Public chatbots powered by LLMs can inadvertently expose sensitive internal information shared during interactions, exploiting the trust companies place in these AI services, which underscores the risks of relying on external AI platforms that may unintentionally leak confidential data through their learning and interaction processes.
Resource: OpenAI’s Custom Chatbots Are Leaking Their Secrets
PHP Git Server Compromise (2021)
Attackers compromised the Git server of PHP, attempting to insert a backdoor into the source code of the popular web scripting language.
Resource: ZDNet on PHP Git Server Hack
IoT and OT Compromises
Lateral movement from an initial attack vector, such as spear phishing, to IoT or OT devices like cameras and printers, can also be seen as island hopping.
Resource: Krebs on Security Report
US National Public Data (2024)
The breach was enabled by vulnerabilities in a sister property, RecordsCheck, which allowed attackers to exploit trust relationships between related services to access sensitive data.
Resource: National Public Data Breach: Only 134 Million Unique Emails Leaked and Company Acknowledges Incident
Trend Vision One Platform
Stopping adversaries faster and taking control of your cyber risks starts with a single platform. Manage security holistically with comprehensive prevention, detection, and response capabilities powered by AI, leading threat research and intelligence.
Trend Vision One supports diverse hybrid IT environments, automates and orchestrates workflows, and delivers expert cybersecurity services, so you can simplify and converge your security operations.