WASHINGTON, D.C. – Two recent cyber-attacks highlight a new way hackers have found to successfully target businesses and governments alike. The strategy, which is growing in popularity involves bad actors targeting third-party vendors who provide a service used by a network of companies or government agencies.
Once the hackers find a way in, they have access to those providers’ entire customer base. It’s called a cyber supply chain attack, and according to security experts, these types of attacks mean you’re only as strong as your weakest link.
The two most recent attacks on the cyber supply chain were carried out by two different U.S. adversaries. In the first, Chinese hackers targeted an email security provider, and in the other, Russian hackers infiltrated a file transfer program used by the federal government.
“What these organizations did, or these governments engaged in, was finding the vulnerabilities in those particular software packages. In the one case, they actually attacked a recent updated patch into the system and that led to a vulnerability which then was exploited,” said Scott White, director of George Washington University’s Cyber Security Program.
The SolarWinds cyber attack back in 2020 remains the highest-profile example of this kind of strategy. Hackers placed malware on signed versions of software from the IT management system’s supplier and then used it to gain access to 18,000 government and private organizations.
White says this supply chain hack is being used by both criminals and Advanced Persistent Threats (APT’s), like China, Russia, and North Korea.
“We have to remember that every single day these APTs are engaging in the cyber world, attempting to find vulnerabilities in any of the hardware or software that’s being developed. Once they occur, then they can infiltrate those and eventually ex-filtrate information,” White explained.
He says protection against this line of attack is especially difficult because hackers could gain access at any point across very interconnected systems.
“The problem we run into, ultimately, is not every organization in that supply chain, from manufacturer to distributor, right down to user, is going to have the same level of security, the same level of cyber hygiene,” White told CBN News.
That’s especially true for global supply chains, with many countries not requiring the same security standards as the U.S.
“Part of what we have to do, both as a government, and as business, is continue to push kind of not necessarily regulation, but at least standards and practices to the global community who want to engage in the supply chain,” said White.
Research shows why securing these critical supply chains is so important. According to Gartner Inc, 45 percent of global organizations can expect a software supply chain attack by 2025.
White says the federal government already offers resources to help U.S. organizations examine their various member networks and come up with a risk management process.
“Risk management is not just placing in security and good hygiene. Risk management also looks at threat vectors, and when you’re looking at threat vectors, you’re also looking at where are we connected? What third parties are we engaging in?” White explained.
While these specific attacks don’t always make headlines, they must be taken seriously. In 2022 alone, more than 10 million people, and some 17,000 organizations fell victim to a cyber supply chain breach. That number is expected to rise in the future.