The ICO exists to empower you through information.

Many third parties are now processing more sensitive information on behalf of other organisations than ever before. You can no longer just rely on your own internal cyber security controls to secure information. Although many businesses have effectively enacted internal cybersecurity protections, The Marsh State of Cyber Resilience Report 2022, found that less than half have conducted risk assessments of their supply chain.

The increased use of cloud and an expanding digital landscape have caused some organisations to rush into new implementations, without the due diligence needed to manage the associated risks. Following on from the COVID-19 pandemic, Argon’s security review found supply chain attacks grew by over 300%.

The threat from a supply chain is directly linked to the number of suppliers, and hence the number of potential attack entry points. As digital estates expand, the risks from the supply chain also increase. Vendors with poor security controls can leave themselves, and the wider supply chain, open to attack.

The ability to attack many targets simultaneously through supply chain vulnerabilities has meant supply chains are an attractive target for criminals. Well publicised attacks, such as SolarWinds, log4j, Kaseya, and Spring4Shell, have alerted more people to the importance of vendor management.

What is a supply chain attack and how does it happen?

A supply chain attack is when products, services, or technology you are supplied with have been breached or compromised and are in turn used to infiltrate and further compromise your own systems.

This type of attack targets one or more elements you need to provide the products or services that you rely on. It could include software, hardware, or third-party vendors. This combination of people, processes and technological elements is your ‘supply chain’ and the risk to your organisation and those you interact with, will vary.

This means that when you use third-parties or IT service providers to process information on your behalf, you should be satisfied that:

  • they have appropriate security and are complying with data protection legislation; and
  • you have some form of assurance, usually via a contract.

Attackers search for unsafe code, unsafe infrastructure practices, and unsafe network procedures that allow them to insert or exploit the third party’s systems with the intent to cause harm.

Recently, Russian actor Nobelium has been attacking organisations which are seen as integral to the global IT supply chain. Microsoft reports that these attacks are against resellers. Attackers have not attempted to exploit software vulnerabilities, but used techniques, such as phishing, to steal legitimate credentials, gain privileged access and exploit this to gain entry to their client’s systems.

In a software supply chain attack the attackers insert their own code into a system or product known as malicious code injection. A criminal software developer could change code to perform malicious actions within the application. This enables fraud and information theft, or leaves a backdoor for an attacker to remotely access a corporate system. Applications with these undetected vulnerabilities could cause numerous attacks on many organisations and systems.

Further reading:

Digital supply chain attacks occur when developers use commonly used libraries to enable a function in their application. If the attacker inserts the malicious code into the programming library, any software developer that incorporates the infected library into their product will leave the product vulnerable.

In a hardware supply chain attack, the criminal supplies hardware products with installed components (eg microchips on a circuit board) which are used to build servers and other network components. The attacker can then search or extract information or obtain remote access to the corporate infrastructure.

The reason supply chain attacks are so difficult to mitigate is because you not only have to trust all the vendors you work with, but all the vendors who supply them.

An attacker, or a group of attackers, can target any part of the supply chain.

Example: Insecure supply chain leads to infiltration and a penalty notice

Facts

The IT systems of a hotel company were compromised by an unknown attacker using an unknown attack vector. The company was later acquired by another organisation. During the post-acquisition period, the attacker continued to travel through the company's systems and gained access to the system containing cardholder information.

This access allowed the attacker to export the personal information of many customers to "dmp" files on the company's systems, potentially with a view to taking a copy of the information, which included card payment information.

The attack

The attacker installed a web shell on a device within the company's network. This device was used to support an Accolade software application used by employees to request changes to any content of the company's website. The installation gave the attacker the ability to remotely access the system, allowing them to edit the contents of that system and, in this case, install Remote Access Trojans (RATs). The trojan malware enabled remote administrative control of the system, giving the attacker more access than a normal user account and unrestricted access to the relevant device.

The attacker then installed and executed a post-exploitation tool, ‘Mimikatz’. This tool allows the harvesting of login credentials temporarily stored in the system memory, scanning the server for all the usernames and passwords stored. This allowed the attacker to continue to compromise user accounts which were secured using a mixture of single and multi-factor authentication.

The attacker then used these accounts to perform further reconnaissance and to run commands on the reservation database, including creating files which may have been intended for exfiltrating information. Additional malware, known as memory-scraping malware, was installed on multiple devices which searched them for payment card data.

What could have been done differently?

  • Use multi-factor authentication (MFA) without gaps.
  • Carry out more thorough due diligence where possible.

Note: the acquiring organisation was only able to carry out limited due diligence on the company's information processing systems and databases, including due diligence in relation to MFA. For the avoidance of any doubt, there was no finding of infringement in relation to MFA or due diligence aspects.

They could have implemented:

  • appropriate monitoring of privileged accounts - appropriate and adequate measures are in place to allow for the identification of the breach and to prevent further unauthorised activity e.g. appropriate ongoing monitoring of user activity, particularly activity by privileged accounts;
  • appropriate monitoring of databases including sufficient logging of key activities such as user activity or actions taken on a database and server logging of the creation of files;
  • a form of server hardening as a preventative measure e.g. allowlisting; and
  • encryption across more information categories.

What might help reduce risks from supply chain attacks?

Detecting attacks is an increasing challenge, due to ever more advanced tactics, new techniques and tools, as with all types of cyber-attacks Supply chains expand the scope beyond what is under your direct control, as they can come from any third-party vendors, including:

  • website or software suppliers;
  • development and testing platforms; or
  • information storage solutions.

A supply chain attack targets systems and services you assess and trust. In each case, the attacker uses this trust to attempt to access critical aspects of your infrastructure and carry out malicious activity.

Supply chain attacks are more complicated than many other types of attacks and your recovery may depend much more heavily on your third-party supplier. To reduce the risk you should:

  • have a robust supply chain risk management programme in place and apply a process for monitoring, managing, and reviewing systems, processes and access throughout your supply chain;
  • document, evaluate, mitigate, and regularly review risks in your supply chain (recital 87), including who you share the information with and where and how it is processed;
  • conduct thorough due diligence with any potential supplier prior to commissioning their service;
  • verify any connections you have, ensuring that the principles of least privilege and segregation of duties are enforced throughout;
  • perform tests over systems developed for you by third parties, where possible;
  • have assurances from your processors before sharing any information with them and have documented service level and security agreements;
  • review your contractual relationship with your suppliers and understand the responsibility each has, especially about an incident that stems from the supplier’s network; and
  • be aware when procuring software as a service (SaaS) that you rely on the vendor supplying you with relevant logs if the system is compromised and logging may be limited.

Incident response for supply chain attacks is like any incident response, but supply chain attacks rely on trust. You should demonstrate you understand all your third-party connections and, with the use of appropriate tools, be able to detect unexpected actions, discover malicious code, and deny access to possible threats.

What are the likely future developments?

Research by Gartner showed attackers are targeting software development systems and open-source artefacts to compromise software supply chains. Gartner predicts that, “…by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.” The research demonstrated an escalating threat to software supply chains with attackers targeting build pipelines. This increased risk requires robust DevOps (development and operations) security controls.

Inserting malicious code into open libraries means that every other project that uses the code will be susceptible to the vulnerability created. In a market which is focused on innovation at speed, code sharing and insecure ad-hoc tooling is a potential area of vulnerability.

You must develop systems and all their components  with security in mind from the outset. Positive developments are taking place with an increased focus on security-by-design, with DevOPs moving to a DevSecOps model. This aims to integrate security into the software development lifecycle in order to prevent security vulnerabilities becoming apparent in production and save the resource required to fix post-release flaws.