What is a Supply Chain Attack?
Supply chain attacks—sometimes called value chain or third-party attacks—are attacks against the suppliers of an organization as a means for gaining access to that organization, which is typically a high-value target. Most large organizations have sophisticated security controls that make infiltration difficult, so attackers have found a way in through the suppliers to these organizations. Such attacks involve a high degree of planning and sophistication, and they can have a devastating impact on organizations in the blast radius of the original compromise, as in the case of the 2020 SolarWinds attacks.
There are two major types of attacks that focus on an organization’s supply or value chain:
Island hopping attacks
“Island hopping” attacks occur when cybercriminals successfully infiltrate large companies by targeting smaller organizations, or those likely to have less-sophisticated security controls, that are part of the large company’s value chain. Derived from the island hopping strategy of the United States in the Pacific campaign in WW2, in this type of attack, attackers infiltrate one network and use it to hop onto an affiliate network.
Island hopping attacks typically target prominent organizations, which tend to rely on a broad digital ecosystem of suppliers. These may include managed services providers, hardware and software vendors, and technology and business partners, many of which are connected into various applications and databases. If an attacker can infiltrate a partner organization through phishing, for example, it then has an entry point to the more attractive target.
Supply chain attacks
“Supply chain” attacks, such as the SolarWinds cyberattack, are slightly different. Instead of seeking out a partner’s vulnerabilities as a way into another company’s network, they explicitly aim to exploit the trust between legitimate organizations used in normal business operations.
These types of attacks seek to gain unauthorized access to a target organization by implanting a backdoor into products, typically software, used by the target organization(s), which allows the attacker to infiltrate the target’s network without detection, and spy, steal data, implant other malware, and disrupt operations. With the backdoor in place, the attack is most commonly delivered via automated patches or software updates, called “trojanized” updates. Such attacks have also been observed targeting technology companies, including antivirus vendors or makers of network security equipment.
Island hopping and supply chain attacks have been the source of high-profile, costly breaches. But the organizations that are simply used as an “island” can also incur severe reputational and business damages, even though they’re not the actual target of such a campaign
The evolution of supply chain attacks
In 2013, there was a massive island hopping attack against a large, well-known retailer. In that case, the attack started with a company that provided HVAC services to the retailer. The attackers had breached the HVAC company, stolen email credentials, and later used them to access the retailer’s networks from which they stole the payment information of millions of customers.
Data interconnectivity between companies allows organizations to implement efficient processes—from design to manufacturing, logistics, and just-in-time delivery. While these tightly interwoven connections help companies increase efficiency and swiftly bring innovations to market, the attacks of the early 2010s, including the one on the retailer, brought into focus the attack surface such interconnectivity provides to adversaries.
Most supply chain attacks rely on the presence of authorized access by a trusted party, or an exploitable vulnerability in the form of a software weakness or misconfiguration in systems. As organizations become more diligent about patching existing systems, applying best practices to configurations, and segmenting their applications and workloads to eliminate lateral movement, it becomes more difficult for adversaries to find exploitable weaknesses.
The supply chain attack involving SolarWinds Orion in late 2020 only marks the latest example of this type of attack. In that case, an adversary was able to gain access to SolarWinds systems to create “trojanized” updates to the SolarWinds Orion platform. The trojanized Orion update allowed attackers to deploy stealthy malware on the networks of 18,000 SolarWinds customers, which included many U.S. agencies and organizations, including the Pentagon, Department of Homeland Security, the FBI, Army, Navy, and many more.
One of the reasons the SolarWinds attack was so consequential—aside from the number and stature of the organizations that downloaded the backdoored update—is the sophistication of the attack, particularly the lengths to which the attackers went to evade detection.
The backdoor was delivered through a legitimate software update to a known (trusted) monitoring and management tool. After the installation of the backdoor, the adversary took steps to avert sandbox detection, including waiting days before for any callback to its command-and-control (C&C) system. The actor took care to avoid tipping off IT teams with abnormal network activity. For example, the C&C infrastructure was set up in the countries of the victims, rather than geos IT is trained to view with suspicion. To ensure that connections to a newly registered domain did not tip off security operators, the C&C domain used was registered months in advance of the suspected start of the campaign. The adversary also included naming conventions of the targeted organizations into the DNS names of the C&C infrastructure. For more details, read this blog.
Security experts have been warning for many years that [supply chain attacks] are some of the hardest types of threats to prevent because they take advantage of trust relationships between vendors and customers and machine-to-machine communication channels, such as software update mechanisms that are inherently trusted by users.
Supply chain compromises will continue. They are extremely difficult to protect against, highlighting the need for security to be considered as part of the vendor selection process.
Defending your organization from supply chain attacks
Supply chain attacks are sophisticated and difficult to detect. In addition to understanding the security posture of all partner organizations, it’s important to have multiple layers of protection and visibility into all of your organization’s traffic. What follows are some of the integrated services enabled by the Zscaler Zero Trust Exchange that protect against supply chain attacks by enabling you to:
- Identify and stop malicious activity from compromised servers by routing all server traffic through Zscaler Internet Access.
- Restrict traffic from critical infrastructure to an “allow” list of known-good destinations.
- Ensure that you are inspecting all SSL/TLS traffic, even if it comes from trusted sources.
- Turn on Advanced Threat Protection to block all known command-and-control domains.
- Extend command-and-control protection to all ports and protocols with the Advanced Cloud Firewall (Cloud IPS module), including emerging C&C destinations.
- Use Advanced Cloud Sandbox to prevent unknown malware delivered as part of a second stage payload.
- Limit the impact from a potential compromise by restricting lateral movement with identity-based micro-segmentation (Zscaler Workload Segmentation) and a zero trust architecture.
- Safeguard crown jewel applications by limiting lateral movement using Zscaler Private Access.