Compromising a business supply chain is a key goal for cyber attackers, because by gaining access to a company that provides software or services to many other companies, it's possible to find a potential way into thousands of targets at once.
Several major incidents during the past 12 months have demonstrated the large-scale consequences supply chain attacks can have. In one of the biggest cybersecurity incidents in recent years, cyber attackers working for the Russian foreign intelligence service compromised updates from IT services provider SolarWinds that were downloaded by 18,000 customers, with the attackers then going on to target around 100 of those customers including several US government agencies.
Other cyber criminals were able to carry out a supply chain attack using a vulnerability in software from Kaseya to launch a ransomware attack that affected thousands of its customers around the world.
SEE: A winning strategy for cybersecurity (ZDNet special report)
"The issue of the threat to IT service providers as part of a supply chain was clearly one of the features of the last year," said Simon Mehdian-Staffell, UK government affairs manager at Microsoft, speaking during a Chatham House Cyber 2021 Conference discussion on the rise of state-backed cyberattacks.
Some of these attacks have been identified because they've been on such a large scale, like the ones above. But there are means of supply chain compromise that are far less likely to draw attention, but can be very effective. And a more tightly focused campaign might be harder to detect.
"Clearly there's trade-offs to be made between where they cast their net and the potential increased likelihood of being detected, so operators are having to make those trade-offs," said Jamie Collier, cyber threat intelligence consultant at Mandiant, also speaking during the Chatham House panel.
While big attacks get the attention, the past few years have seen "other vectors of supply chain compromise that are dominating the numbers that maybe don't get the attention they deserve", he added.
These lower-scale, less obvious supply chain attacks can be just as effective for cyber attackers, providing discreet pathways into networks. In particular, developer or mobile environments can provide this gateway – and cyber attackers have noticed.
"First of all would be developer environments, we see a huge amount of supply chain compromise around there. And the second would be mobile." said Collier.
"So, while we want to focus on the likes of SolarWinds, there is a wider landscape out there and it's important we recognise that broader spectrum," he added.
Given the success of major supply chain attacks thus far, they'll remain a cybersecurity threat for the foreseeable future.
"Supply chain attacks continue to be an attractive vector at the hand of sophisticated actors and the threat from these attacks is likely to grow. Especially as we anticipate technology supply chains will become increasingly complicated in the coming years," Lindy Cameron, CEO of the National Cyber Security Centre (NCSC), said in a keynote address to the Cyber 2021 Conference.
SEE: A company spotted a security breach. Then investigators found this new mysterious malware
The threat of supply chain attacks means that organisations should examine what they can do to make themselves more resilient to cyberattacks. They should also examine how to protect themselves in the event of one of their suppliers unknowingly falling victim to a malicious cyber campaign.
"First, organisations need to establish a clear security direction with their suppliers, asking for and incentivising good security through the supply chain. This is often relatively straightforward security practices, such as controlling how privileged access is managed," said Cameron.
"Second, organisations should take an approach where their design is resilient if a technology supplier is compromised. The SolarWinds incident is a good example. To be blunt, if your SolarWinds installation couldn't talk directly to the internet – which it shouldn't have been able to do – then the whole attack was irrelevant to your network," she added.
Organisations and their information security teams can go a long way to helping to protect the network from attacks by knowing exactly what's on it and what is connected to the internet. By ensuring infrastructure that doesn't need to be connected directly to the internet isn't directly connected, you can provide a major barrier to attacks being successful.