What Is a Supply Chain Attack?

July 8, 2021

A supply chain attack is a type of cyberattack that targets a trusted third-party vendor who offers services or software vital to the supply chain.

Software supply chain attacks inject malicious code into an application in order to infect all users of an app, while hardware supply chain attacks compromise physical components for the same purpose.

Historically, supply chain attacks have referred to attacks against trusted relationships, in which an unsecure supplier in a chain is attacked in order to gain access to their larger trading partners. This is what happened in the 2013 attack against Target, where the threat actor gained access to an HVAC contractor in order to enter Target’s systems.

However, today the greater concern is a software supply chain attack. Software supply chains are particularly vulnerable because modern software is not written from scratch: rather, it involves many off-the-shelf components, such as third-party APIs, open source code and proprietary code from software vendors.

Today, the average software project has 203 dependencies. If a popular app includes one compromised dependency, EVERY BUSINESS that downloads from the vendor is compromised as well, so the number of victims can grow exponentially.

Also, software is reused, so a vulnerability in one application can live on beyond the original software’s lifecycle. Software that lacks a large user community is particularly vulnerable, because a large community is more likely to expose a vulnerability faster than a project with few followers.

Attacks on the Rise

Supply chain attacks are on the rise by 430%  because as enterprises have become better at hardening their environments, malicious attackers have turned to softer targets and have also found more creative ways to make their efforts difficult to detect and most likely to reach desirable targets.

Below are the types of supply chain attacks:

  • Upstream server attacks are the most common, in which a malicious actor infects a system that is “upstream” of users, such as through a malicious update, which then infects all the users “downstream” who download it. This is what happened with the SolarWinds supply chain attack.
  • Midstream attacks target intermediary elements such as software development tools.
  • Dependency confusion attacks exploit private internally created software dependencies by registering a dependency with the same name but with a higher version number on a public repository. The false dependency is then likely to be pulled into the software build instead of the correct dependency.
  • Stolen SSL and code-signing certificate attacks compromise the private keys used to authenticate users of secure websites and cloud services. Stuxnet falls into this category.
  • CI/CD infrastructure attacks introduce malware into the development automation infrastructure, such as by cloning legitimate GitHub repositories.
  • Open source software attacks introduce code into builds that propagate downstream to those who use the build.

Examples of Supply Chain Attacks

The SolarWinds attack is the supply chain attack that everyone is most familiar with. This was a complex attack that injected malicious code into the software’s build cycle and initially infected about 18,000 customers downstream, including major firms and government agencies that were secured by the strongest cybersecurity tools and services available today.

Another sophisticated supply chain attack targeted the ASUS Live Utility, a software utility that is pre-installed on ASUS systems and automatically updates a computer’s BIOS, UEFI, drivers, applications and other components. Over 57,000 users are known to have downloaded and installed the compromised utility, although the real number is probably far greater. This was a targeted attack aimed at a group of users with specific MAC addresses.

A popular open source JavaScript tool was the target of an attack aimed at Linux and macOS operating systems. The attack used a technique called brandjacking, which tricks users into downloading malicious code. The targeted software, Browserify, is downloaded by more than 1.3 million users every week, so the ramifications of its compromise were potentially massive. In this case, the attack was identified and halted within a day of its launch. However, there are many other attacks of this type that are missed. In 2020, at least 26 open source projects were targeted in supply chain attacks.

Cyber security companies themselves are targets of supply chain attacks. For example, the popular free cleanup tool, CC Cleaner, was compromised with a backdoor that gave malicious actors access to the millions of computers on which the software was installed. Although CC Cleaner was a product of Avast, a security company, it was actually compromised before Avast bought the company that originally created it. The attackers installed their backdoors and then waited until the acquisition was completed before it began contaminating the downloads. Researchers believe this to be a targeted attack because while 2.27 million malicious downloads were completed, only 40 compromised systems were targeted with a second-stage attack.

How Do You Prevent and Detect a Supply Chain Attack?

Supply chain attacks are increasingly becoming a business-critical issue that’s impacting crucial relationships with partners and suppliers. Supply chain attacks are hard to detect. And just because a software product was validated in the past doesn’t mean that software is secure today.

Along with rigorously assessing the vendors they use, organizations need to mitigate the supply chain risks that are making them vulnerable to attack. This requires employing effective prevention, detection and response technologies.

The following are some recommendations for how organizations can increase their supply chain security and avoid becoming a victim:

  • Employ solutions that include behavioral-based attack detection: The sophisticated nature of supply chain attacks require organizations to employ the power of behavioral-based analysis such as indicators of attack (IOAs). Mitigating the risks incurred “when good programs go bad” requires technologies such as machine learning (ML) that can detect patterns in hundreds, thousands or even millions of attacks per day a feat that can’t be accomplished with human insight alone.
  • Get ahead of future supply chain attacks with threat intelligence: Threat intelligence will tell you when new supply chain attacks emerge and provide you with all the information you need to understand the attack and proactively defend against it. Falcon X is CrowdStrike’s automated integrated threat analysis tool that combines malware analysis, malware search and threat intelligence to deliver context-rich information that enables predictive security.
  • Enhance your readiness with proactive services: The CrowdStrike Services team includes supply chain analysis as part of its Cybersecurity Maturity Assessment and also conducts tabletop exercises with customers, where they simulate a supply chain attack. This gives customers an understanding of their current exposure and a roadmap for enhancing protection against, and readiness for, a supply chain attack.