Many of the biggest cybersecurity breaches of the past several years have come via the supply chain. In one of the more notable attacks of 2021, the Irish IT firm Kaseya fell victim to a ransomware virus that infected a small part of their supply chain. According to their CEO, less than one in one thousand of their customers were affected, about sixty in all, but since their customers include many Managed Service Providers (MSPs), the virus made its way to over 1500 other companies around the world in a matter of days.
As the Kaseya case demonstrates, due to the integration of the supply chain, one small breach can have a ripple effect around the globe and lead to massive losses both for the party that was initially infected, and everyone else up and down their supply chains.
Why is the Threat Rising?
Supply chain attacks are popular among cyber criminals due to the fact that when a breach does occur, it can quickly spread to dozens, or perhaps thousands, of other systems in a very short period of time, thus maximizing the damage done.
Time and time again, cyber criminals have exploited a weakness in one system and are able to get into the systems and infect dozens of other organizations’ computers. Criminals will always be looking for the weaknesses that can be exploited for the most gain, and due to the interconnectedness of today’s supply chains, that will likely remain a top target for years to come.
Understanding this risk is paramount to defending against it. We can look back at other attacks over the past several years to see this trend playing out. In addition to Kaseya, perhaps the largest and most infamous cyber attack of the last few years was Solar Winds, another example of an attack on a supply chain that started off quite minor, but was able to spread far and wide.
Security professionals must be aware that attacks on the supply chain will remain one of the prime targets for criminals for the foreseeable future.
How Supply Chain Cyber Attacks Happen
As is always the case, attacks in supply chains usually occur at the weakest points in the security
system and frequently involve human error. Malware and compromised passwords are frequently the culprits that let in bad actors. Understanding the weak points will allow security professionals to design systems and protocols to reduce risk and minimize damage and disruptions when breaches do occur.
Another common way, specific to supply chain disruption, is miscommunication between vendors and their customers when two companies need access to each other’s information, data, and systems. Clear communication and protocols must be established and constantly monitored in all organizations involved.
Phishing is another common way for supply chains to be breached. Both phishing and social engineering techniques are increasingly popular among cyber criminals, and often take the form of fraudulent emails made to look like they were sent from an acquaintance of the recipient. The emails will usually contain malicious URLs hidden in attachments then will release malware into the network and on through the supply chain when the user opens them.
Perhaps the easiest way to mitigate the most risk is for security professionals in an organization to always do the simple things the best. Easily guessed passwords have been the culprit in several high profile attacks in the past several years. Password security is the easiest, but often most overlooked, way to mitigate a substantial amount of risk.
The consequences of such attacks can be extremely severe. They disrupt the entire supply chain, and can leave organizations vulnerable to ransomware demands. Perhaps the most extreme consequence comes from the long-term damage to the reputations of those involved.
When vulnerabilities on the part of a smaller supplier are responsible for an attack, much larger organizations become reluctant to work with that company in the future. Not only that, as we have seen with the infamous Target breach several years ago, the larger organization that was less responsible for the damage ended up with the worst damage to their own reputation.
Best Practices for Mitigating Supply Chain Risk
The most important thing to remember when mitigating cybersecurity risk within the supply chain is that it falls on the shoulders of everyone within the organization. Risks can and do come from many different places including stolen passwords, malware, even physical sabotage, and especially human error. Everyone in the organization must be aware of the threats and cognizant of their role in maintaining a secure environment. Cybersecurity is not just the job of the IT department, but a crucial part of everyone’s job description.
Knowing your critical systems is paramount in establishing a supply chain security strategy. Security professionals should be well aware of all of the systems and devices that an organization’s employees are using, and how they are using them. Many times, breaches occur because of slight misunderstandings between departments about how these devices are being used. Security professionals should work with department heads and establish clear, two way communication between the two about security protocols and then ensure that the information and guidelines are properly passed down to employees.
No one wants to have a breach, but another important step is to assume that at some point there will be a security breach within the supply chain. By assuming it will happen, security professionals can take steps and write protocols that will minimize the damage. If this is done properly, breaches will be spotted early on and corrected before the damage can spread. As we have seen from countless other cases, one small bit of malware code infecting one computer can quickly spread across systems, to other vendors and even around the globe in a short amount of time. Knowing your risks and planning countermeasures is crucial.
Finally, every effort must be made to actively monitor all third parties with access to an organization’s systems as well. Constant, active monitoring, as opposed to one-time static monitoring, will make sure all parties are staying up to date and that nothing is being miscommunicated. History has shown that many breaches occur due to miscommunication between organizations that allow for simple vulnerabilities to be exploited by bad actors.
The Future of Supply Chain Risk
The general consensus among security professionals is that the SolarWinds attack was perpetrated in Russia with backing from the Russian government. Security professionals from the U.S. government, as well as Microsoft, warn that those responsible are still attempting similar attacks today. This goes to show that not only is the problem not going away, but also the consequences of such attacks may become more severe.
If there is any good news in all of this, it is that the capabilities of these bad actors do not align with the damage they can do. In other words, they seem to be less sophisticated than one may assume. Most of the attacks have not come from sophisticated code written by high-level hackers and clandestinely inserted onto vulnerable computers. The attacks are initiated after relatively simple phishing attacks or easily guessed passwords. It has not yet been proven, but according to the SolarWinds CEO, the initial attack may have occurred due to an intern using the password “solarwinds123”.
Just recently, the German government advised against using Kaspersky antivirus software. At one point, Kaspersky was without question a highly reputable company with reliable products, and it’s actually unclear as to whether that is or is not the case today. What is clear is that Kaspersky must operate under the purview of the Russian government, including allowing government agents and inspectors access to private firm databases.
The significance of this is hard to overstate. Going forward, we must be aware that everyone from low-level hackers to major government actors are and will be attempting to infiltrate the supply chains of organizations around the world for years to come. This can have devastating effects on everything from electric utilities, food supplies, energy supplies, and financial institutions. As a result of all of these companies and their supply chains being so interconnected, one minor breach can easily spread around the globe as we saw with Kaseya. Similar to the SolarWinds attack, most other attacks have been rather low-tech, but there is the possibility that this could change as state actors become more and more involved in creating supply chain attacks. Since supply chain breaches are inherently easy to spread far and wide, the addition of state actors being involved can only exacerbate an already serious problem.
This goes to show that although the risk is very real, and the consequences are very high, many risks can be mitigated with simple security protocols as long as those protocols are monitored and passed on to all employees.
The risks to the supply chain from cyber criminals is and will remain immense. The consequences are very high, but with the right procedures and protocols, diligent execution, and everyone in an organization playing their part and shouldering their responsibilities, this is a threat that can be mitigated.
References:
https://www.cybersaint.io/blog/cybersecurity-in-supply-chain-management-risks-to-consider
https://www.zdnet.com/article/updated-kaseya-ransomware-attack-faq-what-we-know-now/
https://www.npr.org/2021/10/25/1048982477/russian-hacker-solarwinds-attack-microsoft
