Supply chain attacks became a threat actor’s goldmine in 2020. With its low barrier to entry and effectiveness, different levels of threat actors continue to leverage supply chain attacks as a viable method to facilitate far-reaching nefarious activities, including espionage, sabotage, intellectual property theft, etc.
Although the average supply chain attack is perpetrated by a cybercriminal with purely financial interests, the emergence of sophisticated attack methodologies introduced a lethal category of threat actors known as Advanced Persistent Threat (APT) actors.
These special categories of threat actors are highly organized, thoroughly skilled, and well-funded by nation-states for large-scale, targeted cybersecurity attacks – their goal is to influence political or economic interests on a global stage.
It can often be difficult to tell the difference between APT actors and the average threat actor, mainly because they will infiltrate your network from the same or similar pathway. It is their intentions that differentiate the two, and as a CISO or IT manager, you have to know these differences to plan for when such an attack of either nature occurs.
Your infrastructure and data is always going to be open to a supply chain attack, as vendors will store this data on your behalf – if any of your data is sensitive, useful, or brings a financial award to cybercriminals, then you will need to implement the necessary measures to minimize the impact of such an attack, either from an APT actor, or the more common financially-driven threat actor.
Understanding the Effects of these Attacks
When you leverage third-party tools for your data storage, communications, compliance, and general security, there is a good chance that you agree for these third-party vendors to manage or hold your data in one form or another. Although this is sometimes necessary for your company to grow, it can often come at the cost of APT actors and financially-driven cybercriminals. Due to the wide-scale adoption of many cloud-based and large scale vendors by businesses in multiple industries, the incidence of supply chain attacks increased by 78 percent in 2019 alone.
Supply chain attacks have (on the whole) risen in line with the growing presence of emerging technologies such as cloud computing, AI, and the IoT. These types of technologies have seen a rapid spike in demand among businesses small and large, and APT actors have benefitted from governments due to this. Many state-sponsored and financially driven attacks occur because vendors of software and their clients fail to implement some of the basic security measures to protect their data and infrastructure.
The most common effect of supply chain attacks can be seen in the recent story surrounding SolarWinds, an IT software developer. SolarWinds suffered from an ongoing cyberattack from state-sponsored APT actors, who managed to add malicious code to their software update, Orion.
This malicious software has since been downloaded by more than half (18,000) of SolarWinds’ client base, who simply saw it as a common security update or bug fix for the software application. The software version referred to as “Orion”, is just one example of how trojanized software can leave a supply chain of a business vulnerable. Starting from the source (a large-scale vendor), this malicious installation file has managed to work its way down to the branches (small businesses and clients who own a copy of the software) over many months, without a trace of detection.
What is a ‘State-sponsored’ Supply Chain Attack and How Does it Work?
Understanding the difference between the two types of attacks in question can help you and your team get to grips with defending and mitigating ongoing threats.
When a state-sponsored attack happens, a government will sponsor highly-skilled APT actors to carry out sophisticated attacks. They will use a mixture of common attacking methods, but the attack will be delivered like a military-scale operation. State-sponsored supply chain attacks, therefore, are harder to fight against as governments can leverage the most advanced technology, data centers, and hacking tools for the APT actors they sponsor.
This form of supply chain attack will aim to extract data and resources that are useful to the government themselves, so it will often not be financially driven, but more often used as a tool for the government to leverage and roll out its adaptation of the intelligence. The SolarWinds attack was aimed as an espionage tactic and was executed to target the majority of the 500 largest U.S. companies, as well as the Pentagon and all branches of the U.S. military. It is said that Russia is the culprit, so the state-sponsored attack was therefore organized by the Russian government
These attacks work very well because once the software vendor has been compromised, it is simple for the APT actors to continue their search for data across the client base. If the malicious code is already embedded into the software, all it takes is a single download from the client, and the threat actors can gain access to their server. By this point, you will not know if data has been moved, lost, or extracted by these state-sponsored threat actors. Their activity becomes encrypted, and may still go unseen even if you have the most advanced threat intelligence tool in place.
What is a ‘Standard’ Supply Chain Attack and How Does it Work?
As opposed to a state-sponsored supply chain attack, a standard attack on your supply chain is carried out by the more commonly found threat actor. This will be someone who uses their skills to target data-rich companies to steal data and turn it over to places like the dark web for an eventual profit.
You may realize that standard supply chain attacks happen more often because of the financial reward potential to the APT actor/s. According to a survey by Opinion Matters in June 2020, more than 80% of organizations have experienced an attack due to a security lapse by one of their vendors. This is how the majority of standard supply chain attacks occur because vendors have lower security standards than their clients – once the malicious software is downloaded, the threat actors can gain control of the data that these clients store, and compromise anything they deem financially valuable if sold onto other cybercriminals.
Differentiating Between ‘State-sponsored’ and ‘Standard’ Supply Chain Attacks
It is vital you and your employees know the differences and similarities between state-sponsored and standard supply chain attacks, here’s a list to help you understand the basic principles between both:
- Standard supply chain attacks do not have the military-style scale operation available at their disposal, so threat actors in these kinds of attacks are only as good as the tools they can afford. This is why state-sponsored attacks can be seen as a bigger ongoing threat to organizations, as you may find it is harder to disable the APT actors once an attack has begun.
- State-sponsored supply chain attacks are economically and intelligence-driven, with governments often looking to locate security and defense techniques, as well as national infrastructure vulnerabilities. This information is used by governments to disable critical operations in other countries where clients have been compromised. Alternatively, governments will leverage the tools to improve their security, defense, and national infrastructure.
- Both types of supply chain attacks will be initiated via one of your software vendors, often at the expense of security vulnerabilities and poor threat intelligence awareness from the vendor themselves.
- Both of these supply chain attack methods will turn into ongoing threats – APT actors know how to stay undetected once you have downloaded their trojanized software. When the vendor has their software infected with malicious code, the threat actors will make their way into your organizations via the installation of this coded software update. They will generally stay there for an extended period, searching for data that is either financially rewarding (standard attackers) or can be compromised by the threat actor (state-sponsored) or leveraged by the government behind the attack for their benefit.
Protecting Against Supply Chain Attacks
Supply chain attacks of any nature are best tackled before they hit you. The majority of state-sponsored threat actors will know how to stay undetected so it is better to find the risky elements of your organization first, to minimize the potential damage should this kind of attack happen.
Here are 3 ways you can maximize your protection against supply chain attacks:
- Audit your infrastructure, and decide whether any of it is either unnecessary, insecure or is hosted by a vendor in a country that may have state-sponsored threat actors working for the government (Russia and China are great examples). This rules out potential back-door vulnerabilities that may have existed before a quick risk check by your IT department.
- Share threat intelligence with your competition and industry. If there is any way to proactively manage APTs, it is by leveraging security methods that other organizations are using. Although you cannot recommend your vendor to implement certain security measures, it may be worth changing providers to a vendor that is more up-to-date with the latest threat intelligence and telemetry methods out there.
- Bring security awareness into your culture. As a CISO or IT manager, it is your job to limit activities like shadow IT, and invest more time in teaching your staff about the ongoing threats to the infrastructure/data within your organization. When the knowledge is there, measures like threat intelligence can be leveraged properly, to accurately detect more ongoing threats, just like those that arise due to supply chain attacks.
As part of your endpoint management, it helps to know when, how, and why supply chain attacks happen (like the SolarWinds attack). State-sponsored and financially driven attacks on your supply chain are an ever-growing risk, and as an IT manager/CISO, you must take as many steps as you can to lessen the damage of such an attack on your own company.
Shadow IT can become a major concern within supply chain infrastructures, especially if your IT team manually installs security updates across the corporate network and stores redundant images in the same location as other critical data. It is best to isolate critical data; implement a zero-trust model for vendors and partners; and perform quarterly risk assessments of the access privilege of vendors that may be too risky to work with moving forwards.
As we know, SolarWinds-style attacks can generally go unnoticed for months, therefore continuous IT processes must be automated, such as system patching; threat detection, prevention, and intelligence; and security awareness training.