.png)
MSP Supply Chain Attacks: When Your IT Provider Becomes the Attack Vector
Breach Summary
MSP supply chain attacks don't target your company. They target the firm you hired to protect it. Managed service providers sit at the center of hundreds or thousands of client networks simultaneously, managing endpoints, deploying software, and holding administrative credentials across every environment they touch. That centralized access, designed for operational efficiency, creates a single point of compromise that threat actors have systematically exploited for over a decade.
This article covers the documented pattern of MSP-targeted attacks — the Kaseya VSA breach, the SolarWinds supply chain compromise, and the broader MSP hacking ecosystem — and what it means for the mid-market companies and PE portfolio operators who depend on managed services for their security operations.
What Happened
What Happened
The MSP supply chain attack pattern has two landmark incidents that define the threat model:
Kaseya VSA — July 2021
On July 2, 2021, the REvil ransomware group exploited zero-day vulnerabilities (CVE-2021-30116) in Kaseya's VSA remote monitoring and management software. The attack targeted on-premises VSA servers operated by MSPs, using the VSA platform's own software deployment capability to push a malicious update to managed endpoints. The attack was timed to coincide with the US Independence Day weekend — a period of reduced security staffing at both MSPs and their clients.
Approximately 60 MSPs were directly compromised. Through those MSPs, roughly 1,500 downstream businesses were affected. REvil initially demanded ransoms from individual businesses (ranging from $45,000 to $5 million per victim), then issued a blanket demand of $70 million for a universal decryption key covering all victims. Kaseya obtained a decryption key approximately three weeks after the attack — through means later reported to involve law enforcement — and provided it to affected organizations.
SolarWinds Orion — December 2020
Russian SVR actors (Cozy Bear / APT29) compromised the SolarWinds Orion software build pipeline between March and June 2020. The SUNBURST backdoor was distributed to approximately 18,000 customers as part of legitimate software updates. Affected organizations included US federal agencies (Treasury, Commerce, Homeland Security), major technology companies, and MSPs that used SolarWinds Orion for network monitoring.
MSPs in the blast radius unknowingly distributed the backdoor to their own managed clients, extending the reach of the original compromise through the MSP's trusted update and deployment channels. The attack remained undetected for approximately nine months before FireEye disclosed it in December 2020.
Ongoing Pattern
Beyond these landmark incidents, CISA and FBI joint advisories issued in 2022 and 2023 specifically identified MSPs as high-priority targets for ransomware affiliates and state-sponsored actors. ConnectWise ScreenConnect vulnerabilities (2024), N-able N-central credential theft campaigns, and ongoing spearphishing targeting MSP helpdesk staff represent the continuous baseline of MSP-targeted activity separate from the high-profile incidents.
Attack Vector Detail
How MSP Attacks Work
MSP-targeted attacks exploit the trust and access that MSPs hold across client environments. The attack vectors fall into three documented patterns:
RMM platform compromise. Remote monitoring and management (RMM) tools are the operational backbone of MSP service delivery — they provide persistent, privileged remote access to every managed endpoint. Compromising the RMM platform gives an attacker administrative control over every client endpoint simultaneously. The 2021 Kaseya VSA attack exploited a zero-day vulnerability in the Kaseya VSA RMM platform to deploy REvil ransomware to approximately 1,500 businesses across 37 MSPs in a single operation.
Software supply chain compromise. The 2020 SolarWinds Orion attack — in which Russian SVR actors compromised the SolarWinds software build pipeline and distributed a backdoored update to approximately 18,000 customers — represents the supply chain variant. MSPs that used SolarWinds Orion for network monitoring unknowingly distributed the backdoor (SUNBURST) to their own managed clients. The attacker accessed the MSP's distribution infrastructure, not the client networks directly.
Credential theft and direct MSP compromise. MSP employee credentials — particularly those with administrative access to client environments — are high-value targets for credential theft, phishing, and MFA bypass campaigns. Scattered Spider campaigns have specifically targeted MSP helpdesk staff using social engineering to obtain credentials that provide access to client environments. CISA and FBI joint advisories have repeatedly warned that MSP administrative credentials are actively sought by ransomware affiliates.
Why MSPs Are Strategic Targets
The economics of MSP targeting are straightforward. A single successful MSP compromise gives an attacker access to hundreds of client environments simultaneously, with the same operational effort required to compromise a single target. This multiplier effect makes MSPs disproportionately valuable targets relative to the effort required to attack them.
The adversary calculus: a ransomware group that compromises an MSP managing 200 mid-market clients can deploy ransomware across all 200 simultaneously, dramatically increasing ransom collection probability. The Kaseya attack reportedly demanded $70 million in aggregate ransom — a figure achievable only because the blast radius covered hundreds of separate organizations.
Breach Pattern Timeline
Executive Lessons
What Executives and Boards Must Take From MSP Supply Chain Attacks
The fundamental lesson of MSP supply chain attacks is that security outsourcing does not eliminate security risk — it transfers and concentrates it. When you outsource security operations to an MSP, you inherit the MSP's attack surface in addition to your own.
Five things executives must do in response:
- Audit MSP access. Document every administrative credential, remote access tool, and privileged account your MSP holds in your environment. If you cannot produce this list in 30 minutes, your MSP has more access than you have oversight of.
- Require MFA on MSP administrative access. MSP administrative accounts should be subject to phishing-resistant MFA — not SMS-based codes. Scattered Spider specifically targets SMS MFA. Hardware keys or certificate-based authentication for MSP privileged accounts is a baseline requirement, not a best practice.
- Review MSP contracts for breach notification and IR obligations. Most MSP agreements include no obligation to notify clients within a defined timeframe of a supply chain compromise. Negotiate this explicitly. A 24-hour notification requirement after detecting a potential supply chain incident is reasonable and enforceable.
- Segment MSP access from production systems. MSP administrative access should be network-segmented from production workloads. An MSP managing your endpoints should not have direct access to financial systems, data rooms, or sensitive databases. Jump hosts, privileged access workstations (PAWs), and network segmentation limit blast radius if MSP credentials are compromised.
- Conduct periodic MSP security assessments. Your MSP's SOC 2 certification covers their organization. It does not cover the specific controls governing their access to your environment. Periodic third-party assessment of MSP access controls, credential management, and incident response capability is warranted for any MSP with privileged access to sensitive systems.
Private Equity Implications
PE Implications
For PE firms conducting cyber due diligence on mid-market acquisitions, MSP dependency is a risk factor that current standard DD frameworks frequently miss.
MSP concentration risk. Portfolio companies that rely on a single MSP for all IT management — network, endpoints, security operations, and cloud — have concentrated their cyber risk into a single third party. If that MSP is compromised, the portco's ability to respond is limited by the same degraded infrastructure the attacker is using. Diversification of MSP relationships — or at minimum, independent security monitoring capability that does not rely on the MSP's own tooling — reduces single-point-of-failure risk.
Cross-portfolio MSP exposure. PE firms that recommend or broker MSP relationships across their portfolio create a second-order supply chain risk: if the recommended MSP is compromised, the breach may affect multiple portfolio companies simultaneously. This aggregated exposure is material from a fund-level risk perspective and is rarely quantified in portfolio risk assessments.
Deal timeline risk. An undisclosed MSP supply chain breach that occurred before close but was discovered post-close creates reps and warranties exposure for the seller and potential material adverse change considerations for the buyer. Standard cyber reps in acquisition agreements typically require disclosure of known security incidents — an MSP breach that the target company was not directly notified of creates ambiguity about what the seller "knew" and when.
How Cloudskope Can Help
Cloudskope's cyber due diligence assessments specifically include MSP access audit as a component of vendor risk review. For PE portfolio companies that use managed IT or security service providers, we evaluate the administrative access those providers hold, the contractual protections (or lack thereof) governing that access, and the detection capability in place to identify anomalous MSP account behavior. The MSP supply chain risk is consistently underweighted in mid-market security programs and consistently overweighted in post-breach incident investigations.
Frequently Asked Questions
What is an MSP supply chain attack?
An MSP supply chain attack targets a managed service provider to gain simultaneous access to all of the MSP's client environments. Rather than attacking each client individually, the adversary compromises the MSP's tools, credentials, or software distribution infrastructure — then uses that access to propagate malware, ransomware, or persistent backdoors to every client the MSP manages.
Was Kaseya an MSP attack?
Yes. The July 2021 Kaseya VSA attack exploited a zero-day vulnerability in the Kaseya VSA remote monitoring and management platform. The attackers — identified as REvil — used the Kaseya platform's software distribution capability to push a malicious update to approximately 1,500 businesses across 37 MSPs simultaneously. It is considered one of the largest ransomware supply chain attacks ever documented.
How can I tell if my MSP has been compromised?
Indicators of MSP compromise include unexpected remote sessions or administrative activity during off-hours, new privileged accounts created in your environment without a corresponding change request, RMM tools behaving unexpectedly (pushing software not in your approved list), and your MSP issuing a security incident notification. Behavioral monitoring of MSP administrative sessions — logging and alerting on unusual activity by MSP accounts — is the most reliable detection mechanism.
What should I ask my MSP about supply chain security?
Key questions: Do you maintain an inventory of all administrative access you hold in our environment? What MFA controls govern your employees' access to client environments? What is your notification timeline if you detect a supply chain compromise that may affect our environment? Do you segment client environments from each other within your management infrastructure? Have you ever been notified of or experienced a supply chain security incident?
Does my cyber insurance cover an MSP supply chain attack?
It depends on your policy. Most cyber policies cover first-party losses from ransomware regardless of attack vector, including supply chain attacks. However, some policies include exclusions for attacks originating through third-party service providers, or sublimits for supply chain events. Review your policy's definition of a covered event and any supply chain exclusions explicitly. This is a material coverage question that should be escalated to your broker.