What is a Supply Chain Attack?

Types of Supply Chain Attacks

Software Supply Chain Attacks

Software supply chain attacks compromise the development, build, or distribution pipeline of software to inject malicious code into legitimate software packages. SolarWinds is the defining example: attackers compromised the build environment for SolarWinds Orion, inserting malicious code into the legitimate software build process. The resulting malicious update was digitally signed by SolarWinds' legitimate code signing certificate, distributed through SolarWinds' legitimate update mechanism, and installed by approximately 18,000 organizations that trusted SolarWinds as a vendor.

Open source dependency attacks target the packages that software applications depend on. Modern software applications incorporate hundreds of open source libraries. An attacker who compromises a widely-used open source package — by contributing malicious code, typosquatting a popular package name, or taking over a package whose maintainer has abandoned it — can reach every application that depends on that package. The Log4Shell vulnerability in the Log4j logging library affected millions of applications because of the library's ubiquity in Java applications globally.

Hardware Supply Chain Attacks

Hardware supply chain attacks compromise physical components — chips, circuit boards, network equipment — during manufacture or distribution to introduce backdoors or surveillance capabilities. These attacks are primarily associated with nation-state actors with the capability to compromise manufacturing processes. The theoretical risk of compromised hardware in critical infrastructure and telecommunications equipment has driven government procurement restrictions on specific vendors from geopolitical adversaries.

Why Supply Chain Attacks Are So Effective

Inherited Trust

The fundamental reason supply chain attacks succeed is that they exploit inherited trust. An organization that has evaluated SolarWinds, approved it through their procurement process, allowed it through their firewall, granted it network access to monitor infrastructure, and configured it with privileged credentials has granted it a level of trust that internal controls are then layered around. When that trusted vendor's software is compromised, all those internal controls have a blind spot for activity that originates from the trusted vendor's software.

Scale of Reach

A successful attack against a single vendor with thousands of customers is dramatically more efficient than attacking thousands of customers individually. The effort invested in compromising SolarWinds' build pipeline reached 18,000 organizations. The same effort invested in direct attacks would have reached a fraction of that number. From an attacker's perspective, the supply chain multiplies the yield of each attack investment.

Detection Difficulty

Malicious code delivered through a legitimate software update is indistinguishable from legitimate code at the delivery point. It passes the same security scanning that the legitimate software passes. It is signed with the legitimate vendor's certificate. It arrives through the legitimate update mechanism. Detection requires either catching the attacker during the build pipeline compromise, behavioral detection of anomalous activity from the compromised software after installation, or intelligence about the specific indicators of compromise associated with the attack.

Supply Chain Risk Management

Vendor Security Assessment

Third-party risk management programs assess the security posture of vendors before and during engagement. For software vendors with significant access to organizational systems, this assessment should address: their software development security practices, build pipeline security controls, incident history, and the specific access the vendor's software requires in your environment. SOC 2 Type II reports provide independent assessment of vendor security controls and are the standard evidence requested in vendor security reviews.

Least Privilege for Vendor Software

The impact of a compromised vendor can be significantly reduced by applying least privilege principles to vendor software access. A vendor whose software requires network access to function should have precisely the network access required — not unrestricted internal network access. Vendor software with monitoring functions should not have credentials that allow configuration changes. Network segmentation that limits vendor software to the specific systems it needs to reach reduces lateral movement capability if the vendor is compromised.

Real-World Example: Kaseya VSA — 1,500 Businesses Through One MSP Platform

In July 2021, the REvil ransomware group exploited a zero-day vulnerability in Kaseya VSA — a remote monitoring and management platform used by managed service providers to manage their clients' IT infrastructure. By compromising Kaseya VSA, the attackers reached not just Kaseya's direct customers but the clients of every MSP using the platform. Approximately 1,500 businesses across 17 countries were encrypted in a single attack that exploited a single vulnerability in a single vendor's platform. The attack demonstrates the compounding effect of supply chain attacks against platforms used by intermediaries — the MSP supply chain attack became a two-hop attack reaching the MSPs' clients.