With a successful supply chain attack against just one organization—often an unremarkable technology vendor—a criminal group can gain privileged access to the network of one (or all) of its customers.
Think about it. Perhaps your organization has a world-class cybersecurity program… But can you say the same for all of your suppliers? Like any defense, an organization’s security program is only as strong as its weakest point—and for most organizations, that weak point is somewhere in their supply chain.
What is a Software Supply Chain Attack?
A software supply chain attack occurs when a bad actor infiltrates a technology vendor’s network and abuses its trusted relationship with its customers to access one or more target networks.
An organization's technology supply chain includes:
- Software developers and open-source contributors
- Distributors and resellers
- Cloud service providers
- Hardware and IT service vendors
Compromising one or more desired targets—for example, government departments or critical infrastructure providers—is harder than infiltrating a single weak link in the supply chain.
The successful compromise of a single technology vendor can allow a criminal or state-sponsored group to infiltrate dozens of high-value targets, each of which would have been challenging to infiltrate directly. This makes supply chain attacks one of the most efficient and damaging tactics.
Common Supply Chain Attack Vectors
The most common form of supply chain attack involves infiltrating an IT vendor’s network and inserting malicious code into a legitimate software product before it is sent to the customer. Due to the trusted nature of its source, the customer assumes this compromised software to be legitimate and installs it. This results in the customer’s network being compromised.
There are four common ways that software supply chain attacks can occur:
1. Insider or Compromised Developer
This is the most apparent and hard-to-combat scenario. If a threat actor has direct access to the development process and environment, they will have many opportunities to inject malicious code. This situation could conceivably arise through blackmail or bribery, but more likely, an advanced threat group would plant the bad actor by positioning them as a legitimate, highly-qualified applicant who makes their way through the hiring process.
2. Compromising Open-Source Code
Many developers use open source code libraries—sections of pre-written code—as ‘building blocks to add common functionality into their own code. Unfortunately, it has become common practice for cyber adversaries to inject malicious code into popular open-source projects and distribute them via fake websites. Since open-source code is routinely built into commercial software, this can lead to serious vulnerabilities in popular software products. Worse, customers typically don’t know products contain open source code, so they cannot act if it later arises that the code includes vulnerabilities.
3. Hijacking Software Updates
Software updates are crucial for fixing bugs, adding new features, and addressing security vulnerabilities. Customers typically download software updates from a central server owned by the software vendor. By hijacking this infrastructure, bad actors can inject malicious code into legitimate software updates, which are trusted implicitly and installed by customers.
4. Undermining Code Signing
Software vendors use code signing to verify the source, authenticity, and integrity of software downloads and updates. Threat actors can subvert code signing by self-signing certificates, abusing signing systems, or exploiting account access controls. This enables them to disguise malicious software as legitimate software or updates, often including expected legitimate functionality to avoid arousing suspicion.
The Growing U.S. Software Supply Chain Risk
Supply chain attacks pose a significant threat to federal agencies, critical infrastructure providers, and, in fact, every organization in the U.S. There’s no doubt that organizations across all industries need to thoroughly vet their suppliers to minimize supply chain risk.
To safeguard national security and economic stability, technology vendors must:
- Implement stronger cybersecurity controls in their development environments
- Conduct risk assessments of their own supply chains
- Maintain visibility and integrity monitoring across every software component
But voluntary compliance isn't enough. A legal mandate establishing a minimum standard of Software Supply Chain Risk Management (SCRM) is essential.
Protecting the U.S. from Software Supply Chain Attacks
Our report, ‘Protecting the U.S. From Supply Chain Attacks,’ explains why technology vendors are frequently the weak link that allows criminal and state-sponsored hacking groups to access sensitive data and systems, conduct espionage, and disrupt operations. To protect against the dangers of supply chain attacks, technology vendors must have a legal obligation to uphold a minimum standard of supply chain risk management.
Download the report to learn:
- Why Executive Order 14028 and new publications from NIST and CISA aren’t enough to protect the U.S. from supply chain attacks.
- What consequences a supply chain attack could have for federal agencies, state governments, and even private organizations.
- The risk posed by unregulated technology vendors and why it’s unrealistic to expect buyers to shoulder the burden of vetting every supplier’s SCRM capabilities.
- The proposed approach by Cimcor to address supply chain risk in the U.S., and how regulators could structure a legal framework for SCRM.
