The past two years have delivered major disruptions for supply chains. The pandemic pushed supply chain attack issues front-and-center, with disruptions up 67% in 2020 and problems expected to persist as global markets adjust to ‘new normal’ operations.

Increasing reliance on digital supply solutions, however, has also set the stage for increasing supply chain attacks. These attacks are expected to increase four-fold in 2021.

Here’s what enterprises need to know about supply chain threats. Check out the current state of supply chain security, plus what steps you can take to reduce total risk.

What Is a Supply Chain Attack?

A supply chain attack occurs when threat actors compromise enterprise networks using connected applications or services owned or used by outside partners, such as suppliers. Sometimes, experts also refer to these as third-party or value-chain attacks.

For threat actors, the appeal of supply chain attacks is trust. Applications and services used by enterprises have often been trusted and vetted by security teams. So, they often have access to sensitive or valuable internal data. If attackers can move sideways from connected supply chain apps into the larger enterprise network itself, they could steal, encrypt or destroy critical data and cost companies millions in both repair costs and reputation damage.

As networks grow, this problem compounds. Third-party suppliers are often using software from other business partners, who in turn have their own outside app connections. Therefore, a supply chain attack may start several companies removed from the intended target, making it harder to spot.

A successful supply chain attack can be a major blow. When networking tools supplier Solar Winds was compromised in late 2020, more than 18,000 companies worldwide were affected.

The State of Supply Chain Cybersecurity in 2021

As noted above, supply chain attacks will increase in 2021. Part of this expansion comes from increased application environment complexity: companies embrace the need for agile and adaptable supply chains that are resistant to future disruptions. After all, broadening the number of connected apps and services helps enterprises better navigate changing market conditions. It also creates a larger attack surface for threat actors. If a vulnerability does crop up, it also makes it more difficult to find and remove supply chain threats before they become bigger issues.

Notable 2021 Supply Chain Attacks

Supply chain attacks are off to a strong start in 2021. For example, in April 2021 DevOps tool provider Codecov disclosed that their Bash script uploader was compromised by malicious actors. This allowed the attackers to capture information stored by Codecov customers in continuous information (CI) environments. Third-party investigators also found that attackers might have been able to “raid additional resources” and gained access to user credentials, which could, in turn, lead to even larger breaches.

In July 2021, the REvil gang compromised software supplier Kaseya’s network management package and used this software as a way to spread ransomware across Kaseya’s customers. According to NPR, more than 200 U.S. companies found their networks paralyzed by ransomware attacks after the Kaseya compromise.

Worth noting? Recent research from the European Union Agency for Cybersecurity found that 66% of attacks focused on supplier code. This meant even strong internal defenses may not be enough to mitigate the impact of supply chain attacks.

Common Supply Chain Attack Methods

The goal of supply chain attackers is to compromise trusted services. From there, they can gain access to more valuable corporate resources. One common compromise approach is phishing. Successful phishing attacks can reveal account and password data, in turn allowing attackers to examine source code without triggering network defenses. Malware is also commonly used to infiltrate networks and exfiltrate key source code, which attackers can then modify and re-insert.

Some of the most common supply chain threat vectors include:

  • Third-party software providers
  • Data storage solutions
  • Development or testing platforms
  • Website building services.

In each case, these software solutions and services require access to critical aspects of enterprise infrastructure. That opens up a potential pathway for malicious actors.

Best Practices for Supply Chain Security

When it comes to supply chain attacks, attackers are always looking for the weakest link. As a result, even robust enterprise defenses may not be enough to protect key assets. After all, the trusted nature of these third-party apps means they’re often not subject to the same scrutiny. This creates an opening for attackers: If they go far enough back along the supply chain, chances are they’ll find a vulnerability they can exploit and start moving upward toward critical apps.

To help reduce the risk of supply chain threats, security best practices are critical. These include:

1) Assessing current strategies – Better supply chain security starts with current strategies: Are they effective at mitigating supply chain threats? Do they align with compliance requirements? Can they adapt to evolving risk realities?

2) Testing, testing, testing – Regular penetration testing and vulnerability scans can help identify potential supply chain security weak points. From there, you can close down potential compromise pathways.

3) Identification and encryption – By identifying and encrypting highly sensitive data in their environment, enterprises can reduce the reach of supply chain attacks that do occur. Even if malicious actors gain access, they won’t be able to leverage protected assets.

4) Third-party risk management – The supply chain software landscape is more complex today than ever before. Therefore, companies must conduct an in-depth analysis of supplier security practices. They need to break down internal operational silos to ensure all departments are on the same page when it comes to protection.

5) Zero trust frameworks – By moving to an ‘always verify, never trust’ framework, enterprises can create a functional front line of defense. Zero trust requires even familiar apps and services to pass authentication checks before gaining network access.

The right security tools also play a role in reducing supply chain attack risk. Here, enterprises are often best-served by solutions that leverage blockchain for secure transactions, artificial intelligence for improved threat detection and cloud-based threat analysis for rapid risk assessment.

Solving for Supply Chain Attacks

Bottom line? It all comes down to trust.

Supply chain applications are necessary for enterprises to deliver services at scale. However, the same trust that reduces complexity also increases total risk. To mitigate the impact of supply chain attacks, enterprises must take control of third-party connections using both tools and tactics designed to detect unexpected actions, discover malicious code and deny access to potential threats.

More from Banking & Finance

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today