The Rise of Supply Chain Attacks

What is a supply chain attack

A supply chain attack refers to a cyber attack that aims at infiltrating and compromising the software or hardware supply chain of an organization. Instead of directly targeting the organisation’s systems, the attacker focuses on compromising a trusted vendor or supplier who provides software, hardware or services to the organization. Through this compromise, the attacker gains unauthorized access to the organisation’s systems, data or infrastructure.

Key Features

Innate characteristics of supply chain attacks constitute a series of challenges that cyber security solutions are called to address. Supply chain attacks exploit the trust established between organizations and their suppliers and vendors. This trust is translated into the expectation that suppliers and vendors are to provide secure and trustworthy products or services. Attackers attempt to gain access to the organisation’s systems and infrastructure, by compromising a trusted supplier. Such an attack path makes it challenging and time-consuming to detect and mitigate the attack. In fact, according to the 2022 IBM report on the cost of a data breach [1], the average supply chain compromise lifecycle is higher than the global average, with the average time to react and contain a supply chain attack being 9% more than the overall average of security incidents. Since compromised vendors or suppliers often serve multiple organizations, quite often across different domains, the attack most often affects numerous targets simultaneously, leading to potentially tremendous impact amplification. Thus, through a single point of entry a successful supply chain attack can have extensive and wide spread consequences. The cascading effect of supply chain attacks is driven by the high complexity of modern supply chains, which include multiple vendors, suppliers, and interconnected systems, with organisations having limited control over their supply chain. Several supply chain attacks specifically target government agencies, critical infrastructure providers or large enterprises. These entities quite often manage valuable assets and information, such as sensitive data and intellectual property, or have a significant impact on society. The August 2022 supply chain attack affecting the National Health Service (NHS) in UK is a prime example [2]. In this incident, Advanced, a software and services provider being part of the NHS digital supply chain, was hit by a ransomware attack. This attack had significantly disrupted the operation of several key health services across the NHS, such as patient referrals, ambulance dispatch and out-of-hours appointment bookings. On top of this, there have been fears for patient data leakage. 

The Transformed Landscape

According to Gartner’s prediction, nearly half (45%) of all global organizations will have encountered digital supply chain attacks by the year 2025 [3]. The SolarWinds incident [4] stands out as one of the most renowned and influential supply chain attacks globally. As a prominent software vendor, SolarWinds provides system management tools for network and infrastructure monitoring, along with various technical services to over 300,000 customers worldwide. Almost 18,000 of SolarWinds’ customers are believed to have received a compromised software update through this incident, according to their estimates. In June 2023, a supply chain attack known as the MOVEit attack [5] specifically aimed at users of the MOVEit Transfer tool, which is a secure file transfer tool widely utilized. By compromising the BBC, British Airways and Aer Lingus, among others and achieving the leakage of personal data, this incident demonstrates the rapid escalation of a supply chain attack and the significant impact small vendors can have on major organisations.

Recognising the significant potential impact of software supply chain attacks, the NIS2 directive, which directly targets critical sectors, such as energy, transport, banking, financial market infrastructures, health, drinking and waste water, digital infrastructure, ICT service management, public administration and space, has encapsulated software supply chain security aspects. In fact, according to this directive, which is to be adopted by Member States by 17th October 2024, supply chain security is among the 10 key elements that all entities subject to its obligations must address or implement as part of the measures they take.

PHOENI2X and supply chain attacks

PHOENI2X aims to enhance the healthcare stakeholders’ ability to withstand supply chain attacks by implementing cutting-edge AI-enriched Situational Awareness technology. Moreover, it will facilitate advanced business continuity and automated recovery features to strengthen the overall resilience of healthcare organizations. Towards this direction, PHOENI2X, using AI-driven behavioural pattern matching mechanisms will detect suspicious user behaviour, such as injecting malicious code in the source code repository of the healthcare supply chain pipeline, or performing destructive actions, such as removing entire code branches. Furthermore, PHOENI2X can assist the developers of the healthcare applications by informing them about vulnerable libraries used in the code base, as well as system administrators, security officers and DevOps personnel by providing real-time security assessments and risk calculations concerning the IT-topology of the supply chain. Moving forward, PHOENi2X can be further extended to immediately execute actions on the supply chain whenever a security incident is detected. These actions can include blocking suspicious actors, reversing malicious code commits, as well as taking immediate mitigating measures for strengthening the topology of the supply chain. Simultaneously, PHOENI2X can inform all interested parties about security incidents, such as national or international security authorities, but also to communicate the potential attack patterns to other PHOENI2X instances.

References

[1] Cost of a Data Breach Report 2022, IBM Security, https://www.ibm.com/security/data-breach

[2] https://www.theguardian.com/society/2022/aug/11/fears-patient-data-ransomware-attack-nhs-software-supplier

[3] https://www.gartner.com/en/newsroom/press-releases/2022-03-07-gartner-identifies-top-security-and-risk-management-trends-for-2022

[4] https://www.gao.gov/blog/solarwinds-cyberattack-demands-significant-federal-and-private-sector-response-infographic

[5] https://www.ncsc.gov.uk/information/moveit-vulnerability

Author

Vassiliki Andronikou, PhD

Nodalpoint Systems, Greece