What Is a Supply Chain Hack?
A supply chain attack seeks to damage or infiltrate an organization by pinpointing vulnerable parts of its supply network. Attacking a supply chain presents multiple opportunities for successful infiltration—even more so when attacking an organization with a complicated or intricate supply chain network.
In almost all supply chain attacks, the initial victim is not the sole target of the attacker. Rather, the supply chain element is a stepping stone to a bigger fish. The attacker exploits vulnerabilities in the easier target and leverages that to move to the ultimate goal.
Supply Chain Attack Types
Supply chain attacks aren’t one size fits all. The supply chain for a major organization may comprise multiple different moving parts. An attacker must think about which type of supply chain attack to use against a target.
Here are three notable supply chain attacks for you to consider.
In 2013, the US retailer Target was the subject of a major attack that resulted in the loss of information on 110 million credit and debit cards used in their stores. The total amount of data stolen was only 11GB, but the type of data stolen was particularly valuable.
The attackers identified a number of third-party suppliers in Target’s corporate network. While the final number of attempted exploits is unknown, the vulnerable business was Fazio Mechanical, a refrigeration contractor.
Once the contractor was compromised, the attackers waited inside the company network until it was possible to escalate to a Target system using stolen credentials. Eventually, the attackers gained access to Target’s servers, looking for other vulnerable systems inside the company network.
From here, the attackers exploited Target’s point of sale (POS) system, skimming off card information for millions of customers.
One primary example of a third-party software supply chain attack is SolarWinds, whose Orion remote management software was compromised in 2020. The attackers inserted a malicious backdoor into the software update process.
When the update was pushed to SolarWinds’ hundreds of thousands of customers, the attacker’s malware went with it. As the update was digitally signed as normal, everything appeared as usual.
After activating the software as part of the normal update process, the attackers gained access to a huge number of critical targets, including the US Treasury, the Departments of Homeland Security, Commerce, State, Defence, and Energy, and the National Nuclear Security Administration.
The SolarWinds attack is one of the largest and most successful supply-chain attacks ever carried out.
Did you know that one of the most infamous hacks of all time was a supply chain attack?
Stuxnet is a computer worm with an extremely specific target: systems running a particular software type, from a specific manufacturer, found in Iranian nuclear power plants. The Stuxnet malware causes centrifuges to drastically increase in speed, destroying the material in the centrifuge and the infrastructure itself in the process.