How organisations can implement new protection strategies against increasing supply chain cyber attacks

Supply chain attacks target complex organisations' networks through suppliers, vendors, and third-party providers. Image: Shutterstock

The advances in technology and telecommunication have led many companies to push toward technology infrastructure to keep up with an expanding digital ecosystem. The rapid increase in modernised technology comes with risks of vulnerability from newer and more dangerous cyber threats. With organisations and enterprises stepping up their security measures, cybercriminals have shifted their focus towards compromising organisation systems through clients and vendors.  

Supply chain attacks target complex organisations' networks through suppliers, vendors, and third-party providers. These attacks exploit vulnerabilities that emerge due to the interconnected nature of the digital supply chain, which often spans multiple organisation units, systems, and geographies. Supply chain attacks often target open-source code or third-party APIs used by developers. Developers use these off-the-shelf components to decrease development times and enable organisations to be more agile. A recent study conducted by Veracode found that 90 percent of third-party code does not comply with enterprise security standards such as OWASP Top 10.

According to Gartner, 60 percent of organisations work with over 1,000 third parties. The expansion of third-party software in businesses is growing exponentially as organisations look for more specialised services and find it difficult to maintain software in-house that can meet the demand of the rapidly changing environment. Since CRM and accounting software are the heart of an organisation's operations are often salient targets for cyber-attacks. By compromising trusted components or software, cybercriminals can secure initial access to a vendor's code management or control systems and disseminate the malicious code while masquerading as a legitimate application.

Supply chain attacks are often associated with nation-state-sponsored groups aiming to conduct cyber espionage or disrupt critical infrastructure, but recent supply chain attacks have financial implications. Financially motivated cybercriminals and hacktivist groups have also adopted this attack vector to achieve their objectives. These malicious actors exploit vulnerabilities in supply chain vendors to infiltrate targeted organisations, propagate malware and gain unauthorised access to sensitive information. For example, simple malicious software could halt the entire nation's production process by targeting vulnerable software of ships. The supply chain attack on ports can devastate the companies and economy as a whole, as supply chain blockage will have a domino effect on multiple industries, from raw material transportation to product delivery. On the other hand, companies will face extensive fiscal backlash after supply chain cyber-attacks hinder supply/demand—from paying ransoms to consumer litigation costs and the overall loss of production. Third-party attacks can take different forms, such as:

1. Credential theft: Cyber attackers may steal the supplier's or vendors' login credentials to access an organisation's systems through phishing and social engineering attacks or exploiting vulnerabilities in the software.
2. Firmware tampering: Attackers might inject malicious code into the software of firmware used by the supplier, which can be used to compromise organisations' systems.
3. Data theft: The attackers may steal sensitive data related to the target organisation from the supplier's systems.
4. Denial of service: The attackers may launch a distributed denial-of-service (DDoS) attack against the supplier's systems, disrupting the supplier's operations and affecting the organisation's ability to access critical services.

Also read: The number of scams per brand soared by 211 percent in APAC region last year

The last six months have witnessed a spike in supply chain cyber-attacks affecting an enormous number of vendors and enterprises. According to Gartner, 45 percent of organisations will have experienced supply chain attacks by 2025. The major incidents that took place in 2023 are:

1. June 2023-MOVEit Supply Chain Attack
2. March 2023-3CX Supply Chain Attack
3. February 2023-Applied Materials Supply Chain Attack.

MOVEit is a transfer tool designed to transfer sensitive files securely and is particularly popular in the US. The MOVEit attack targeted users of the MOVEit. The attackers so far have managed to compromise the BBC, Zellis, British Airways, Boots, and Aer Lingus. Personally Identifiable Information (PII) data that was leaked includes staff addresses, IDs, dates of birth, and national insurance numbers. The attackers used exposed web interfaces (EWIs) to cause significant damage. The web-facing MOVEit application was infected with a web shell called LEMURLOOT. This was then used to steal data from MOVEit Transfer databases. This attack highlights how quickly a supply chain attack can escalate and how smaller vendors can have a massive impact on organisational giants such as the BBC and British Airways.

As cyber threats evolve and become more sophisticated, a proactive and comprehensive approach to supply chain security is crucial for maintaining the integrity and resilience of the interconnected digital ecosystem. Organisations must adopt a proactive and comprehensive approach to supply chain security to mitigate these risks effectively. This includes continuously monitoring and assessing the security posture of suppliers, vendors, and third-party service providers, as well as implementing robust security controls and incident response plans.

As the supply chain cybersecurity risk management space is evolving, a recommended measure is to complement it with zero-trust architectures. Every internal or external engagement from or to the organisation is a vulnerability. Zero trust leverages the principle of least privileges (PoPL), where every user or device is given only the bare minimum access permission needed to perform its intended function. PoPL can curtail cyber-attacks on organisation networks and systems by controlling the access level and type.

Planning and governance play an important role in the ever-evolving needs of businesses. Each new technology needs to be reconsidered for how it can fit into an organisation's zero-trust model. Analysing data services and applications continuously against organisationally accepted zero-trust architecture will help identify new threats quickly and understand the priority to address those.

Shruti Mantri, Associate Director, ISB Institute of Data Science (IIDS).

[This article has been reproduced with permission from the Indian School of Business, India]