Supply chain attacks, where an attacker compromises a supplier in order to gain access to that supplier’s customers, have become increasingly common and devastating in recent years. High-profile incidents like the SolarWinds and Kaseya attacks have demonstrated just how much damage a single well-placed compromise can enable.
In our complex and interconnected digital ecosystem, organizations are more reliant than ever on third-party suppliers and service providers. This reliance necessitates trust, and that trust can be abused by attackers to gain access to networks and systems they could not otherwise breach directly. As attackers become more ambitious and the potential rewards grow ever larger, supply chain attacks will likely continue to increase.
Several factors have contributed to the rise in supply chain attacks:
Complexity of Modern Tech Ecosystem The modern technology ecosystem is incredibly complex, with organizations relying on countless software vendors, cloud providers, and IT service companies. This complexity and interdependency make it difficult to maintain security and provide attackers with many opportunities to find weak links in the supply chain.
Value of Upstream Victims Major software and service providers are tempting targets due to their immense customer base. A single compromise of one of these key suppliers can give an attacker access to thousands of potential victims downstream. Attackers are increasingly pursuing high-value upstream targets as an efficient means to mass compromise.
Software Supply Chain Vulnerabilities The vast ecosystem of software components and code libraries modern applications rely upon provides ample attack surface. Vulnerabilities like Log4Shell and Heartbleed have shown how weaknesses in commonly used software packages can impact an enormous number of downstream users.
Software Theft and Analysis Source code theft is on the rise, likely due to the value in analyzing proprietary code for vulnerabilities. Thefts at companies like Microsoft, Okta, and Dropbox show that attackers recognize the strategic value in stealing source code, which could enable future supply chain attacks.
Nation-State Involvement Supply chain attacks are an attractive vector for advanced nation-state attackers due to the potential to access many high-value targets through a single intrusion. The US government has attributed recent attacks like SolarWinds to Russian state actors. Nation-state involvement is likely to drive further innovation in supply chain attacks.
In response to the supply chain threat, governments around the world have proposed legislation to improve software supply chain security. The EU, UK, US, and China have all either passed or proposed laws that define critical infrastructure, impose security requirements on suppliers, mandate incident reporting, and encourage diversification of supply chains. While increased regulation may help curb attacks, the fundamental complexity that enables these attacks cannot be entirely regulated away.
Some of the most severe supply chain attacks in recent years include:
- 3CX – In 2023, the VoIP provider was compromised resulting in backdoored software updates that were pushed to hundreds of thousands of customers.
- Kaseya – A 2021 attack on this remote monitoring tool provider led to ransomware infections in over 1,500 downstream businesses.
- SolarWinds – Russian state hackers trojanized software updates for this IT management tool in 2020, impacting thousands of organizations globally.
- Codecov – After this testing tool provider was hacked in 2021, backdoored software updates were distributed, impacting hundreds of tech firms.
- Heroku – Compromise of this PaaS provider in 2022 allowed access to customer GitHub repositories containing sensitive code and data.
Beyond attacks on software and service providers, tactics like dependency confusion and typosquatting exemplify risks further down the software supply chain that can impact end users. Poisoned packages uploaded to public repositories or third party app stores demonstrate that the sprawling web of code dependencies introduces immense risk.
As supply chain attacks proliferate, the Zero Trust model provides a defense-in-depth approach. By encrypting data, enforcing least privilege access, and requiring verification for all transactions, Zero Trust assumes breach and limits an attacker’s ability to leverage a compromise. While complex to implement across today’s digital ecosystems, Zero Trust will likely play a critical role in protecting against supply chain threats going forward.
Though software supply chain attacks have been around for years, their surging popularity shows no signs of slowing down. As long as the technology ecosystem grows more complex and interconnected, supply chain compromise will present a lucrative vector for ambitious attackers, from criminal enterprises to nation-states. Defenders must make securing their supply chains a priority, through vendor due diligence, diversification, and application of emerging paradigms like Zero Trust. With vigilance and proactive improvements, organizations can harden their supply chains against this pervasive threat.