Supply chain attack


A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.
A supply chain is a system of activities involved in handling, distributing, manufacturing, and processing goods in order to move resources from a vendor into the hands of the final consumer. A supply chain is a complex network of interconnected players governed by supply and demand.
Although supply chain attack is a broad term without a universally agreed upon definition, in reference to cyber-security, a supply chain attack can involve physically tampering with electronics in order to install undetectable malware for the purpose of bringing harm to a player further down the supply chain network. Alternatively, the term can be used to describe attacks exploiting the software supply chain, in which an apparently low-level or unimportant software component used by other software can be used to inject malicious code into the larger software that depends on the component.
In a more general sense, a supply chain attack may not necessarily involve electronics. In 2010 when burglars gained access to the pharmaceutical giant Eli Lilly's supply warehouse, by drilling a hole in the roof and loading $80 million worth of prescription drugs into a truck, they could also have been said to carry out a supply chain attack. However, this article will discuss cyber attacks on physical supply networks that rely on technology; hence, a supply chain attack is a method used by cyber-criminals.

Attack framework

Generally, supply chain attacks on information systems begin with an advanced persistent threat that determines a member of the supply network with the weakest cyber security in order to affect the target organization. Hackers don't usually directly target a larger entity, such as the United States Government, but instead target the entity's software. The third-party software is often less protected, leading to an easier target. According to an investigation produced by Verizon Enterprise, 92% of the cyber security incidents analyzed in their survey occurred among small firms. Supply chain networks are considered to be particularly vulnerable due to their multiple interconnected components.
APTs can often gain access to sensitive information by physically tampering with the production of the product. In October 2008, European law-enforcement officials "uncovered a highly sophisticated credit-card fraud ring" that stole customer's account details by using untraceable devices inserted into credit-card readers made in China to gain access to account information and make repeated bank withdrawals and Internet purchases, amounting to an estimated $100 million in losses.

Risks

The threat of a supply chain attack poses a significant risk to modern day organizations and attacks are not solely limited to the information technology sector; supply chain attacks affect the oil industry, large retailers, the pharmaceutical sector and virtually any industry with a complex supply network.
The Information Security Forum explains that the risk derived from supply chain attacks is due to information sharing with suppliers, it states that "sharing information with suppliers is essential for the supply chain to function, yet it also creates risk... information compromised in the supply chain can be just as damaging as that compromised from within the organization".
While Muhammad Ali Nasir of the National University of Computer and Emerging Sciences, associates the above-mentioned risk with the wider trend of globalization stating "…due to globalization, decentralization, and outsourcing of supply chains, numbers of exposure points have also increased because of the greater number of entities involved and that too are scattered all around the globe… cyber-attack on supply chain is the most destructive way to damage many linked entities at once due to its ripple effect."
Poorly managed supply chain management systems can become significant hazards for cyber attacks, which can lead to a loss of sensitive customer information, disruption of the manufacturing process, and could damage a company's reputation.

Examples

Compiler attacks

reported a connecting thread in recent software supply chain attacks, as of 3 May 2019.
These have been surmised to have spread from infected, pirated, popular compilers posted on pirate websites. That is, corrupted versions of Apple's Xcode and Microsoft Visual Studio.

Target

At the end of 2013, Target, a US retailer, was hit by one of the largest data breaches in the history of the retail industry.
Between 27 November and 15 December 2013, Target's American brick-and-mortar stores experienced a data hack. Around 40 million customers' credit and debit cards became susceptible to fraud after malware was introduced into the POS system in over 1,800 stores. The data breach of Target's customer information saw a direct impact on the company's profit, which fell 46 percent in the fourth quarter of 2013.
Six months prior the company began installing a $1.6 million cyber security system. Target had a team of security specialists to monitor its computers constantly. Nonetheless, the supply chain attack circumvented these security measures.
It is believed that cyber criminals infiltrated a third party supplier to gain access to Target's main data network. Although not officially confirmed, investigation officials suspect that the hackers first broke into Target's network on 15 November 2013 using passcode credentials stolen from Fazio Mechanical Services, a Pennsylvania-based provider of HVAC systems.
Ninety lawsuits have been filed against Target by customers for carelessness and compensatory damages. Target spent around $61 million responding to the breach, according to its fourth-quarter report to investors.

Stuxnet

is a computer worm that is widely believed to be a joint U.S.-Israeli cyber operation, though neither government has officially confirmed involvement. The worm specifically targets industrial control systems, particularly those that automate electromechanical processes, such as factory machinery and nuclear enrichment equipment. Stuxnet was designed to manipulate programmable logic controllers, disrupting industrial equipment by issuing unauthorized commands while simultaneously feeding falsified operations data to monitoring systems to conceal its activity.
Stuxnet is widely believed to have been developed to disrupt Iran's enriched uranium programs. Kevin Hogan, Senior Director of Security Response at Symantec, stated that most infections occurred in Iran. Analysts suggest that its primary target was the Natanz uranium enrichment facility.
Stuxnet was initially introduced into Iran's Natanz facility via infected USB flash drives, requiring physical access to the target network. According to reports, engineers or maintenance workers, either knowingly or unknowingly, facilitated its entry into the plant. Once inside, the worm spread autonomously, exploiting multiple zero-day vulnerabilities in Windows systems to propagate across networked machines running Siemens industrial control software.

ATM malware

In recent years malware known as Suceful, Plotus, Tyupkin and GreenDispenser have affected automated teller machines globally, especially in Russia and Ukraine. GreenDispenser specifically gives attackers the ability to walk up to an infected ATM system and remove its cash vault. When installed, GreenDispenser may display an 'out of service' message on the ATM, but attackers with the right access credentials can drain the ATM's cash vault and remove the malware from the system using an untraceable delete process.
The other types of malware usually behave in a similar fashion, capturing magnetic stripe data from the machine's memory storage and instructing the machines to withdraw cash. The attacks require a person with insider access, such as an ATM technician or anyone else with a key to the machine, to place the malware on the ATM.
The Tyupkin malware active in March 2014 on more than 50 ATMs at banking institutions in Eastern Europe, is believed to have also spread at the time to the U.S., India, and China. The malware affects ATMs from major manufacturers running Microsoft Windows 32-bit operating systems. The malware displays information on how much money is available in every machine and allows an attacker to withdraw 40 notes from the selected cassette of each ATM.

NotPetya / M.E.Doc

In June 2017, the financial software M.E.Doc, widely used in Ukraine, was identified by security researchers as a likely initial vector for the spread of the NotPetya malware. Security researchers, including those from Microsoft, indicated that NotPetya infections may have originated from a compromised update issued through M.E.Doc. Some analysts described this as a supply chain attack, though the exact method of compromise was not definitively identified. The software's developers denied the claim but later deleted their statement and stated that they were cooperating with investigators.
NotPetya was initially identified as ransomware because it encrypted hard drives and displayed a ransom demand in bitcoin. However, the email account used to provide decryption keys was shut down, leaving victims without a way to recover their files. Unlike WannaCry, NotPetya had no built-in kill switch, making it harder to stop. The attack affected multiple industries in Ukraine, including banks, an airport, the Kyiv Metro, pharmaceutical companies, and Chernobyl's radiation detection systems. It also spread globally, impacting organizations in Russia, the United Kingdom, India, and the United States.
NotPetya spread using EternalBlue, a vulnerability originally developed by the U.S. National Security Agency and later leaked. EternalBlue had previously been used in the WannaCry cyberattack in May 2017. This exploit enabled NotPetya to spread through the Windows Server Message Block protocol. The malware also used PsExec and the Windows Management Instrumentation to spread within networks. Due to these exploits, once a device on a network was infected, the malware could rapidly spread to other connected systems.
Ukrainian police stated that M.E.Doc employees could face criminal liability for negligence, citing repeated warnings from antivirus firms about security vulnerabilities in the company's cybersecurity infrastructure. The head of Ukraine's CyberPolice, Colonel Serhiy Demydiuk, alleged that M.E.Doc had been repeatedly warned by security firms about weaknesses in its systems but failed to act, stating, "They knew about it." Authorities later reported that M.E.Doc cooperated with investigators.