Cybersecurity and the supply chain—are your suppliers your weakest link?

Many companies entrust third parties with access to their data and systems but if they haven’t implemented the right cybersecurity measures, they could put a company at risk of a serious breach.

The increasing connectivity between businesses means cybercriminals are continuously finding new ways to infiltrate company networks. If there is a vulnerability somewhere in the digital supply chain, the chances are a hacker will be able to uncover it.

Cybercriminals target supply chains to reach as many victims as possible in a single hit. As supply chains can be large and complex, it can be difficult to know if you have sufficient protection in place. An increasing number of organisations are suffering cyberattacks via their supply chains or via their providers of IT services. This is largely because attackers are able to take advantage of customers’ trust in their suppliers and exploit digital vulnerabilities.

What is a supply chain cyberattack?

A supply chain cyberattack occurs when threat actors access a company’s network via suppliers or a third-party provider (the ‘digital supply chain’). Because the third party has been given the permissions to use areas of the company’s network, applications or sensitive data, an attacker can gain access to these areas too if they are able to penetrate the third party’s defences. The distribution of malware (malicious software) is a common result of a supply chain attack.

Why are cyber-attacks on supply chains becoming more common?

The role of managed service providers (MSPs) in providing IT services (such as security monitoring and digital billing makes) them attractive targets for cybercriminals. Cyberattacks on supply chains are becoming more common as they enable threat actors to target larger numbers of victims all at once, i.e., an attack on one business may give access to hundreds—or even thousands—of their customers.

Types of supply chain cyberattacks

Software

Hackers may attack a software company’s system, target an application’s source code and insert their own malicious code into the software. Any company that goes on to use this software is a potential target because the product has been compromised.

Hardware

This type of attack can happen through compromised physical devices, such as USB drives. The hacker can get to work when the device installs an application to allow access to the network. Once in, they will target a network device to infiltrate supply chain systems and cause widespread damage.

Firmware

Firmware attacks target a computer’s booting code. When this malware has been surreptitiously loaded into a computer, the malicious code is executed as soon as the computer boots up, jeopardising the entire system or network.

Malware preinstalled on devices

Hackers can put malware on phones, USB drives, cameras, and other mobile devices. When the device is connected to a system or network, malicious code is introduced with the ability to take over devices and download apps in the background. Manufacturers of budget devices who rely on third-party software can be particularly susceptible to this type of attack.

Stolen certificates

Certificates are used to vouch for the legitimacy or safety of a company’s product. If a hacker steals a certificate, they can peddle malicious code under the guise of that company’s certificate.

Website builders

By attacking the core script of a website template of a creative or digital agency that builds websites for their clients, cybercriminals can target these end clients and compromise their websites.

Watering hole attacks

This type of attack works by identifying a website that is frequented by users within a targeted organisation or sector. That website is then compromised to enable the distribution of malware. Typically, the malware delivered will be a Remote Access Trojan (RAT), enabling the attacker to gain remote access to the target’s system.

Kiwi businesses increasingly vulnerable to cyberattacks

Recent research released by Kordia showed large Kiwi business are being significantly impacted by third-party cyberattacks. According to its 2023 survey, respondents reported cyber incidents associated with supply chain partners accounted for 28 per cent of all attacks, which was second only to phishing.

Peter Bailey, Regional Cyber Security Business Manager at Kordia noted that businesses can’t afford to operate with a blind spot around their supply chain partners.  “They need absolute clarity around what third parties have access to, and the layers of security that exist around that access,” he said.

Examples of major supply chain cyberattacks

MOVEit data breach, 2023

The biggest hack of 2023 so far has been the breach of MOVEit transfer software, which has affected at least 60 million people around the world.

MOVEit is used by organisations to transfer large amounts of often sensitive data, such as medical records, billing data and financial information.  Organisations affected include British Airways, the BBC and Shell.

As many of these organisations handle data on behalf of others, who in turn receive the data from third parties, the hack has spiralled outwards and compromised data of around 1,000 organisations worldwide. The cybercriminals are now leading stolen data.

Kaseya ransomware attack, 2021

Network management software firm, Kaseya, was the target of a ransomware gang who was able to breach the company’s remote monitoring and management package, Virtual Administration Assistant (VSA), via an authentication bypass vulnerability. Within days, up to 1,500 downstream customers had been affected by the attack through downloads containing malware.

Log4j vulnerability, 2021

Apache Log4j is one of the many building blocks that are used in the creation of modern software and is used by millions of computers worldwide running online services. A vulnerability was discovered that could allow attackers to break into systems, steal passwords and logins, extract data and infect networks with malicious software.

SolarWinds hack, 2020

When attackers hacked major software company, SolarWinds, it unknowingly began to send out their Orion Platform software updates with hacked code. This triggered a huge supply chain incident that compromised the data, networks and systems of up to 18,000 organisations, including U.S. government agencies.

In most cases, a single breach, compromise or vulnerability in distributed code led to thousands of victims—an easy win for cybercriminals.

How to strengthen your digital supply chain

It is important for organisations to work with their suppliers to identify potential supply chain risks and ensure appropriate cybersecurity measures are in place, and all suppliers should be incorporated into your organisation’s security verification.

Endpoint Detection and Response (EDR) can play a vital role in protecting your organisation from supply chain attacks as it continuously monitors endpoint activity to let you know when an attack has occurred, its attack path and the actions it took. An integrated approach to cybersecurity - combining key EDR with anti-virus software and Two-Factor Authentication - can further strengthen your defences.

How Gallagher can help

As cyber insurance experts, we work with you to understand and manage your exposure to potential cyber risks and arrange the appropriate cyber cover. It is also important to regularly review business risks with your broker to ensure ongoing protection from increasingly active, sophisticated and successful cyber criminals.

For more information please contact your Gallagher broker.
Expert: Claire Haszard