November 24 2020
It’s these statistics that show the severity of the issue at hand and the problem only looks set to increase as organisational supply chains, as well as third-party relationships grow over the coming years.
Although this type of attack may have escalated in recent years, it’s certainly not a new problem and there are plenty of examples of hackers using supply chains to gain access to companies’ data in the past.
In this blog we look back at some of the most well-known supply chain attacks.
Target Becomes the Target
Possibly the most famous supply chain attack came in 2013 when the American store Target was breached, and malware designed to collect credit card details was placed on the companies point of sale (POS) systems.
The route in? Their heating, ventilation, and air conditioning (HVAC) supplier – Fazio Mechanical Services.
Fazio had access to Target systems, allowing them to remotely monitor and maintain the temperature of individual stores around the US. Using a spear phishing campaign hackers were able to compromise Fazio credentials, using these to ultimately gain access Target’s network.
Over the coming days the hackers compromised Target’s server and placed the malware on POS devices across their entire store network.
The result: 40 million credit and debit cards details stolen, $18.5 million in settlement claims and untold reputation damage. All in all, Target have estimated that the hack cost the company an estimated $202 million.
But it isn’t just ‘physical’ product and service suppliers that are open to attack.
Software Supply Chain as an Attack Source
In 2017 the world was hit with an attack dubbed NotPetya. Designed to look like ransomware, the malicious code was built to target outdated and unpatched Windows systems using the NSA leaked EternalBlue vulnerability. Once inside, it wormed its way through networks and destroyed data as it went. Meaning victims would never gain access to their data, even if they did pay up.
Whilst the Ukraine appeared to be the primary target, it managed to spread much further, affecting global companies such as WPP, DLA Piper, Merck and shipping firm Maersk. It even broke the automatic radiation monitoring systems in Chernobyl. All told, it did $10 billion in damage
So, How Did It Start?
Hackers looking to attack Ukrainian targets managed to breach a financial services company called MeDoc, a third-party software service which is widely used by government organisations in the country. Once inside they managed to install malware on their software, which was then distributed to end users when they downloaded the latest update.
Like WannaCry before it, the attack had already been issued with a patch and therefore could have been easily prevented.
In a similar example, the popular system clean-up software CCleaner was breached in 2017 and hackers were able to compromise servers. Once inside they were able to replace the original version of the software with a malicious one. This was released and over 2.3 million users who downloaded or updated their existing version were infected.
This problem could get even more scary, especially when you consider industrial processes and the dangers that industrial software and hardware presents.
That’s exactly what happened when notorious hacking group Dragonfly launched its cyber-espionage campaign against energy companies across the west.
“The most ambitious attack vector used by Dragonfly was the compromise of a number of legitimate software packages. Three different ICS equipment providers were targeted and malware was inserted into the software bundles they had made available for download on their websites. All three companies made equipment that is used in a number of industrial sectors, including energy.” – Symantec
In this case, it appears their goal was purely espionage and the gathering of system data. Infecting supply chains in an effort to infect end users within the energy industry, to exfiltrate sensitive data, to download new files and run them on infected computers.
But, with access to systems hackers could have the power to disrupt, or even bring down, Critical National Infrastructure.
Learning Lessons From History
So, now you have a couple of previous examples, what can you do to protect your organisation from a similar supply chain attack?