Supply chains are just as vulnerable to threats and attacks as data and software. We’ve always been told to be wary of things like emails from unrecognised or unfamiliar addresses, to be careful about who we’re sharing our credentials with. However, hackers are now starting to attack hardware and software relating to supply chains at their very source.
What is a supply chain attack?
A supply chain attack is a cyber attack that damages an organisation by targeting less well-protected elements of its supply chain. It can occur in any industry whether that be the financial sector, government sector, or oil industry. Cybercriminals are known to interfere with the manufacturing process of a product in order to sabotage it using a collection of computer software called a rootkit or hardware-based spying tools.
Hackers attack supply chains by writing malicious code or implementing a malicious component into a company’s trusted hardware or software. By doing this and compromising a supplier, cybercriminals are then able to hijack the supplier’s distribution systems allowing them to turn anything from what that supplier sells to any software updates they make and even any physical equipment shipped to customers, into a Trojan horse. With the malware carefully placed, these hijackers or criminals now have complete control over a supplier’s customer networks, which in some cases can account for hundreds or even thousands of victims.
What is a Trojan horse?
Similar to the wooden horse used by Greek soldiers to enter the city of Troy undetected, a Trojan horse in cybersecurity is a type of malware that misleads the target of its true intent to gain access to their software or hardware.
An example of a Trojan horse being used is when a cybercriminal lures their target by asking them to send a seemingly unsuspicious email attachment such as a form to be filled in or encouraging them to click on a fake social media advertisement. This is known as the Trojan horse, and if their target complies, it can give them access to the victim’s computer.
Explaining why supply chain attacks are particularly damaging, Nicholas Weaver, a security researcher at UC Berkeley's International Computer Science Institute, said: “Supply chain attacks are scary because they're really hard to deal with, and because they make it clear you're trusting a whole ecology. You're trusting every vendor whose code is on your machine, and you're trusting every vendor's vendor”.
SolarWinds: An example of a supply chain attack
An example of a severe supply chain attack happened in December last year. Russian hackers working for the country’s foreign intelligence service, the SVR, hacked the software organisation SolarWinds, planting malicious code in its Orion IT management software. This allowed them to gain access to almost 18,000 networks that used Orion around the world.
The SVR then went deeper into the networks of US federal organisations, including The US Department of State, The US Department of Defense, the Department of Justice, and NASA.
The rise of supply chain attacks and future protection
Threats and attacks aimed at supply chains are on the rise, and one reason for this could be due to the improved defences against more common areas susceptible to cyber attacks. As a result, cybercriminals have turned their attention to more vulnerable areas with easier access, such as supply chain networks. Nicholas Weaver from UC Berkeley’s International Computer Science Institute said: “It's partially that you want bang for your buck, and partially it's just that supply chain attacks are indirect. Your actual targets are not who you're attacking. If your actual targets are hard, this might be the weakest point to let you get into them”.
Preventing future supply chain attacks, however, is not a simple task. The reason for this is that hardware supply chain attacks are notoriously hard to detect. Beau Woods, a Senior Advisor to the Cybersecurity and Infrastructure Security Agency suggests that one solution to prevent them from happening in the future is for companies to focus more on the organisational aspect of them rather than the technological. “Companies and government agencies need to know who their software and hardware suppliers are, vet them, hold them to certain standards”, he said.
He concluded that the same vetting is “just as necessary across the private sector. And private companies—just as much as federal agencies—shouldn't expect the epidemic of supply chain compromises to end any time soon”.