The past two years have delivered major disruptions for supply chains. The pandemic pushed supply chain attack issues front-and-center, with disruptions up 67% in 2020 and problems expected to persist as global markets adjust to ‘new normal’ operations.

Increasing reliance on digital supply solutions, however, has also set the stage for increasing supply chain attacks. These attacks are expected to increase four-fold in 2021.

Here’s what enterprises need to know about supply chain threats. Check out the current state of supply chain security, plus what steps you can take to reduce total risk.

What Is a Supply Chain Attack?

A supply chain attack occurs when threat actors compromise enterprise networks using connected applications or services owned or used by outside partners, such as suppliers. Sometimes, experts also refer to these as third-party or value-chain attacks.

For threat actors, the appeal of supply chain attacks is trust. Applications and services used by enterprises have often been trusted and vetted by security teams. So, they often have access to sensitive or valuable internal data. If attackers can move sideways from connected supply chain apps into the larger enterprise network itself, they could steal, encrypt or destroy critical data and cost companies millions in both repair costs and reputation damage.

As networks grow, this problem compounds. Third-party suppliers are often using software from other business partners, who in turn have their own outside app connections. Therefore, a supply chain attack may start several companies removed from the intended target, making it harder to spot.

A successful supply chain attack can be a major blow. When networking tools supplier Solar Winds was compromised in late 2020, more than 18,000 companies worldwide were affected.

The State of Supply Chain Cybersecurity in 2021

As noted above, supply chain attacks will increase in 2021. Part of this expansion comes from increased application environment complexity: companies embrace the need for agile and adaptable supply chains that are resistant to future disruptions. After all, broadening the number of connected apps and services helps enterprises better navigate changing market conditions. It also creates a larger attack surface for threat actors. If a vulnerability does crop up, it also makes it more difficult to find and remove supply chain threats before they become bigger issues.

Notable 2021 Supply Chain Attacks

Supply chain attacks are off to a strong start in 2021. For example, in April 2021 DevOps tool provider Codecov disclosed that their Bash script uploader was compromised by malicious actors. This allowed the attackers to capture information stored by Codecov customers in continuous information (CI) environments. Third-party investigators also found that attackers might have been able to “raid additional resources” and gained access to user credentials, which could, in turn, lead to even larger breaches.

In July 2021, the REvil gang compromised software supplier Kaseya’s network management package and used this software as a way to spread ransomware across Kaseya’s customers. According to NPR, more than 200 U.S. companies found their networks paralyzed by ransomware attacks after the Kaseya compromise.

Worth noting? Recent research from the European Union Agency for Cybersecurity found that 66% of attacks focused on supplier code. This meant even strong internal defenses may not be enough to mitigate the impact of supply chain attacks.

Common Supply Chain Attack Methods

The goal of supply chain attackers is to compromise trusted services. From there, they can gain access to more valuable corporate resources. One common compromise approach is phishing. Successful phishing attacks can reveal account and password data, in turn allowing attackers to examine source code without triggering network defenses. Malware is also commonly used to infiltrate networks and exfiltrate key source code, which attackers can then modify and re-insert.

Some of the most common supply chain threat vectors include:

  • Third-party software providers
  • Data storage solutions
  • Development or testing platforms
  • Website building services.

In each case, these software solutions and services require access to critical aspects of enterprise infrastructure. That opens up a potential pathway for malicious actors.

Best Practices for Supply Chain Security

When it comes to supply chain attacks, attackers are always looking for the weakest link. As a result, even robust enterprise defenses may not be enough to protect key assets. After all, the trusted nature of these third-party apps means they’re often not subject to the same scrutiny. This creates an opening for attackers: If they go far enough back along the supply chain, chances are they’ll find a vulnerability they can exploit and start moving upward toward critical apps.

To help reduce the risk of supply chain threats, security best practices are critical. These include:

1) Assessing current strategies – Better supply chain security starts with current strategies: Are they effective at mitigating supply chain threats? Do they align with compliance requirements? Can they adapt to evolving risk realities?

2) Testing, testing, testing – Regular penetration testing and vulnerability scans can help identify potential supply chain security weak points. From there, you can close down potential compromise pathways.

3) Identification and encryption – By identifying and encrypting highly sensitive data in their environment, enterprises can reduce the reach of supply chain attacks that do occur. Even if malicious actors gain access, they won’t be able to leverage protected assets.

4) Third-party risk management – The supply chain software landscape is more complex today than ever before. Therefore, companies must conduct an in-depth analysis of supplier security practices. They need to break down internal operational silos to ensure all departments are on the same page when it comes to protection.

5) Zero trust frameworks – By moving to an ‘always verify, never trust’ framework, enterprises can create a functional front line of defense. Zero trust requires even familiar apps and services to pass authentication checks before gaining network access.

The right security tools also play a role in reducing supply chain attack risk. Here, enterprises are often best-served by solutions that leverage blockchain for secure transactions, artificial intelligence for improved threat detection and cloud-based threat analysis for rapid risk assessment.

Solving for Supply Chain Attacks

Bottom line? It all comes down to trust.

Supply chain applications are necessary for enterprises to deliver services at scale. However, the same trust that reduces complexity also increases total risk. To mitigate the impact of supply chain attacks, enterprises must take control of third-party connections using both tools and tactics designed to detect unexpected actions, discover malicious code and deny access to potential threats.

More from Banking & Finance

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

BlotchyQuasar: X-Force Hive0129 targeting financial institutions in LATAM with a custom banking trojan

16 min read - In late April through May 2023, IBM Security X-Force found several phishing emails leading to packed executable files delivering malware we have named BlotchyQuasar, likely developed by a group X-Force tracks as Hive0129. BlotchyQuasar is hardcoded to collect credentials from multiple Latin American-based banking applications and websites used within public and private environments. Similar operations conducted in late 2022 have also been noted delivering an earlier variant of this modified QuasarRAT by likely Spanish-speaking actors. BlotchyQuasar, which X-Force describes as…