What is a supply chain attack?
A supply chain attack is a cyberattack in which a threat actor infiltrates an organization by compromising a third-party partner, vendor, or software provider. The attacker uses this access to gain a foothold in the target network, often affecting multiple linked organizations.
According to the Cybersecurity Infrastructure and Security Agency (CISA), a supply chain attack – also known as a software supply chain attack – can occur “newly acquired software may be compromised from the outset, or a compromise may occur through other means like a patch or hotfix.”
How do supply chain attacks work?
Supply chain attacks occur when a threat actor targets a trusted third party—such as a vendor, contractor, or software supplier—as a means to access a larger, more secure organization.
Attackers often insert malicious code into software updates, patches, or components that are intended to be distributed to customers. Once deployed, the compromised update gives the attacker a foothold in the target organization’s network.
According to CISA, these attacks typically fall into one of the following categories :
- Hijacking updates: Attackers are looking to deploy threats like ransomware onto a customer-bound package such as a patch or other routine vendor-supplied update.
- Undermining code signing: Attackers attempt to "author" vendor-supplied updates, so they can successfully impersonate that trusted vendor.
- Compromising open source code: Attackers victimize developers who use open source code libraries. Developers don't realize they are leveraging infected code and deliver it straight into their own processes.
Because the software often arrives from a trusted source, traditional security controls may not detect anything unusual—making these attacks especially dangerous and difficult to trace.
Why are supply chain attacks on the rise?
Supply chain attacks are on the rise due to a mix of technical, strategic, and industry-wide trends. Threat actors are taking advantage of expanding digital ecosystems and weaknesses in third-party software, open source code, and vendor relationships.
Below are the key reasons behind the rise in supply chain attacks:
Increased digitization and interconnectivity
As organizations digitize their operations and rely more on cloud services, APIs, and third-party vendors, the attack surface grows. Threat actors know that compromising a trusted supplier can provide direct access to the primary target’s network—without attacking it directly.
Rise of open source software use
Many development teams depend heavily on open source code, but not all organizations have the processes in place to monitor or patch vulnerabilities in these components.
In some cases, malicious code is injected into an open source project long before the final product ships—making remediation difficult and time-consuming once discovered.
Lack of visibility into supply chains
Organizations often don’t have clear visibility into all the tools, components, or partners they depend on. This lack of awareness makes it harder to identify and respond to third-party risks, especially when security responsibilities are not clearly defined.
Open contribution models
Open source projects often accept contributions from a wide range of developers. While this encourages innovation, it can also introduce risks if malicious actors contribute code under the guise of adding features. This tactic, sometimes called “covert defect introduction,” can go undetected until the project is fully deployed.
Types of supply chain attacks
In addition to well-known tactics like update hijacking or open source code injection, attackers use a variety of methods to compromise vendors or service providers as a means to reach their ultimate target.
According to the National Cyber Security Center of the United Kingdom Government, there are a few common vectors through which attackers regularly make their way to a preferred destination:
- Third-party software providers: A trusted vendor delivers product to a customer that, unbeknownst to the vendor, has become “trojanized” – or had malicious code injected into the product.
- Website builders: Creative agencies building legitimate websites for their clients leveraging website builders that have been compromised by threat actors.
- Third-party data stores: Enterprise organizations storing their data with third-party data aggregators and brokers can find themselves open to attack via maliciously-coded information they access once it has left their servers and become compromised.
- Watering hole attacks: Threat actors identify a website frequented by users within a targeted organization, whether for functional, research, or other purposes. Attackers then compromise that frequented website to distribute malware.
Examples of supply chain attacks
These real-world examples show how attackers have used trusted vendors, development tools, and service providers as entry points in supply chain attacks.
SolarWinds SUNBURST backdoor attack
In this 2020 attack, threat actors inserted malicious code into an update of the SolarWinds Orion platform—a tool used by thousands of organizations to monitor IT infrastructure. Once the compromised update was installed, attackers gained widespread access to internal networks, including those of U.S. federal agencies and Fortune 500 companies.
Codecov bash uploader compromise
Codecov, a code coverage tool, experienced a breach in which attackers modified its Bash Uploader script. The alteration went unnoticed for months and allowed exfiltration of sensitive environment variables, tokens, and credentials from customers’ CI/CD environments.
JetBrains TeamCity exploitation
Attackers exploited vulnerabilities in JetBrains' TeamCity CI/CD software, gaining full control over project builds, agents, and artifacts. This served as a launchpad for injecting malicious code into customer environments via the development pipeline.
How to mitigate the risks of supply chain attacks
There are obviously many tactics a security operations center (SOC) could employ in order to mitigate the risks and/or effects of a supply chain attack. But let's take a look at some of the more common best practices in creating a more secure supply chain.
Create edge connections between you and your vendor
Every organization has ingress and egress points with various external applications and service providers. When new services or vendors are procured, access control lists (ACLs) are updated to accommodate the new data streams.
Early stages of an incident are often daunting, frustrating, and confusing for all parties involved, and one of the most critical elements of incident response is containment. Many vendors will immediately disable external connections when an attack is discovered, but relying on an external party to act in the best interest of your organization is a challenging position for any security professional.
If your organization has a list of external connections open to the impacted vendor, creating templates or files to easily cut and paste commands to cut off the connection is an easy step in the planning phase of incident response. This ensures whatever nefarious behavior occurring on the vendor’s network cannot pass into your environment.
Maintain a vendor inventory with key POCs
Having a centralized repository of vendors with key points of contact (POCs) for the account and service-level agreements (SLAs) relevant to the business relationship is an invaluable asset in the event of a breach or attack.
The repository enables rapid communication with the appropriate parties at the vendor to open and maintain a clear line of communication, so updates can be shared and critical questions answered in a timely fashion.
Prepare customer communication templates
Create templates for communications about what your team is doing to protect the environment and answer any high-level questions in the event of a security incident. For these documents, it is best to work with legal departments and senior leadership to ensure the appropriateness of the manner in which this information is disclosed.
- Internal communication templates are formatted memos to easily address some key elements of what is occurring to keep staff apprised of the situation.
- External communication templates are press-directed communications regarding the investigation or severity of a breach.
- Regulatory notices templates typically are created with legal teams to ensure the correct data can be easily provided by technical teams.