1. Introduction
In this tutorial, we’ll look into supply chain attacks. We’ll discuss what they are and how they usually work. After that, we’ll look at a real-world scenario where a supply chain attack was used and, finally, consider some countermeasures.
2. Supply Chain
Let’s start by giving a thorough definition of a supply chain. It’s a network of entities producing and handling goods or services from the supplier to the end customer. As an example, we’ll consider the supply chain for a piece of hardware inside our computers, a CPU:
A CPU manufacturing supply chain may involve semiconductor suppliers providing raw materials like silicon components, fabrication facilities producing the chips, packaging and testing companies, logistics for component transportation, computer assembly plants integrating the CPUs into final products, and distributors delivering those products to consumers.
3. Supply Chain Attacks
A supply chain attack is a cyber-attack that targets vulnerabilities in any supply chain step.
In our example, one such attack could compromise a packaging and testing company. After infiltrating, the attackers tamper with the supply chain and alter the end product of the CPU with any means they have. For instance, attackers integrate hardware trojans into the design at this point. With this power, the attack aims to steal sensitive info or disrupt the operations of organizations at the end of the chain.
This attack is very similar to a watering hole attack in some ways. Both these processes aim to gain access to an organization without directly attacking its infrastructure. A watering hole attack targets websites users may visit, whereas a supply chain attack targets entities in the supply process until the end product.
4. Tactics and Techniques
These attacks often begin by compromising a seemingly unrelated but less secure element within the supply chain, such as a supplier or service provider. Once infiltrated, attackers can move laterally, gradually gaining access to more critical components until they reach the ultimate target.
4.1. Software Updates
Supply chain attacks encompass a variety of tactics, each tailored to exploit specific weaknesses within the interconnected network.
A standard method involves inserting malicious code into software updates. Adversaries target software vendors and inject malware into legitimate updates distributed to users.
This tactic can simultaneously compromise many systems, amplifying the attack’s impact and increasing detection chances.
4.2. Hardware Components
Another widespread strategy is compromising hardware components.
Attackers infiltrate the manufacturing process or the distribution chain, introducing compromised hardware into the supply chain. Then, the attackers embed these components into various devices, from routers to servers, gaining a lasting foothold on the systems.
4.3. Social Engineering
Phishing campaigns tailored to supply chain entities are also a common vector for these attacks. Attackers can trick employees into divulging sensitive information or downloading malicious payloads by impersonating trusted vendors or partners.
Threats also exist on the physical access level. Intercepting physical shipments and tampering with products during transit is a legitimate method of supply chain attack. Individuals with physical access at any point in the supply chain can also cause damage.
4.4. Categorization
We can categorize the attacks with respect to their techniques and targets:
**Attack Type
**
**Techniques
**
Target
Malicious Software Updates
Malicious code is injected into software updates that reach the target organization.
Software systems of vendors along the supply line.
Compromised Hardware
Modifying or injecting extra parts inside hardware components
The hardware manufactured inside the chain and delivered to the organization at the end of the chain.
Phishing Campaigns
Phishing e-mails, impersonation of people inside the organization, etc.
Any organization along the supply line.
Physical Access
Tailgating, physically tampering with hardware, physical access to computing systems, etc.
Any organization along the supply line.
5. Real-World Example
Over the years, several high-profile supply chain attacks have underscored the severity of this threat. One of the most infamous incidents was the SolarWinds supply chain attack, discovered in late 2020.
6. Mitigation
7. Conclusion
In this article, we explained what a supply chain attack is. It doesn’t target an organization directly but the entities it relies on in a supply chain. The techniques employed in these attacks include inserting malicious code into software updates, compromising hardware components, phishing campaigns, or even threats on the physical level.
Mitigation is a difficult task. Each organization must strengthen and closely monitor the supply chain’s defense. Two things are crucial: communication between all parts of a supply chain and splitting supply between different vendors.