Security warning: Your suppliers are now your weakest link

Cybersecurity agency warns of 796 attacks against business, says that hackers will attempt to reach their targets through their suppliers.
Written by Danny Palmer, Senior Writer

Hackers targeting business supply chains and the proliferation of destructive worms are two of the biggest cyber-threats that organisations should prepare to face in the coming year, security experts have warned.

The National Cyber Security Centre (NCSC) -- the cybersecurity arm of GCHQ -- and the National Crime Agency (NCA) have jointly produced a report on the threats cyber-attackers pose to UK business and warn that security risks are continuing to grow.

The Cyber Threat to UK Business Industry 2017-2018 report reflects on what was an extremely busy 2017 in terms of cybersecurity: in addition to needing to fight malware, espionage, and other standard cyber-threats, the UK had to counter the global WannaCry ransomware outbreak after it took some of the National Health Service offline.

The report states that between October 2016 and the end of 2017, the NCSC recorded 34 significant cyber-attacks -- those which required a cross-government response -- while a further 762 less serious incidents, typically restricted to one organisation, were also recorded.

See also: Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse

However, there's one area which the NCSC and NCA have outlined as a threat to organisations, no matter how robust their internal cybersecurity strategy is: the supply chain.

"It is clear that even if an organisation has excellent cybersecurity, there can be no guarantee that the same standards are applied by contractors and third party suppliers in the supply chain. Attackers will target the most vulnerable part of a supply chain to reach their intended victim," warns the report.

The challenge with supply chain attacks is that they are often difficult to detect if they are done well, as attackers will stealthily make their way into networks, often with the aid of spear-phishing and other techniques designed to steal credentials or create backdoors.

Indeed, the report points to the success of Cloud Hopper, an advanced Chinese cyber-espionage campaign which targeted IT suppliers around the world, as an example of the threat this tactic can pose. The third parties were compromised as a stepping stone towards bigger, more lucrative targets, but still proved to be fruitful for the attackers as many were handling sensitive data.

Last year's NotPetya attack also served as a warning as to what can happen if a supplier is attacked: legitimate software used throughout Ukraine became infected with a destructive ransomware worm. But the attacks weren't limited to within Ukrainian borders -- relationships and supply chain links meant it quickly spread around the world, causing billion of dollars of damage.

Supply chain attacks don't show any sign of letting up or becoming any less damaging soon.

"Criminals are highly likely to continue to exploit long-standing and well-known vulnerabilities in victim infrastructure," the report warns.

In order to prevent supply chain attacks, the NCSC and NCA recommend organisations follow the principle of 'least privilege', providing external parties with the absolute minimum access to data required while still able to operate as planned.

The Cyber UK report also covers the WannaCry and NotPetya attacks of last year, both of which were spread with the help of the worm-like capabilities of the leaked EternalBlue SMB exploit. The NCSC and NCA warn that it could only be a matter of time before another worm wreaks havoc.

See also: The secret to being a great spy agency in the 21st century: Incubating startups

"Having seen the success of using worms to propagate ransomware in the WannaCry attack, it's possible that hackers may be encouraged to use this automated and faster method of spreading malware through a network and beyond," said the report, noting how plenty of systems still haven't been patched against the threat.

The message to organisations is therefore a simple one: be prepared to face the threats posed by cyber attackers.

"UK business faces a cyber-threat which is growing in scale and complexity. Organisations which don't take cybersecurity extremely seriously in the next year are risking serious financial and reputational consequences," said Donald Toon, director of the NCA's Prosperity Command.

Nonetheless, the NCSC remains confident about the UK's ability to protect itself from cyber-attacks and hacking campaigns.

"The last year has seen no deceleration in the tempo and volume of cyber incidents, as attackers devise new ways to harm businesses and citizens around the globe. Despite these very real threats to the nation's security, I am confident in the UK's ability to combat the attacks that we face every day," said Ciaran Martin, chief executive officer at the NCSC.

Recent and related coverage

Ransomware: Not dead, but evolving nasty new tricks

Crooks distributing ransomware are still tweaking their tactics, in an effort to extort as much profit as possible while a 'passing of the guard' is underway.

1.5 billion sensitive files exposed by misconfigured servers, storage and cloud services

As GDPR looms, vast amounts of sensitive data including credit card details, medical information, and patents are still easily found online, says a security company.

Once a target, always a target: If you're hit by hackers you're likely to be hit again

The number of organisations that have fallen victim to cyber-attackers only to fall victim a second time is on the up.


Editorial standards