2022 has been a trying year for cybersecurity. The UK especially has seen an increased number of high-profile breaches to supply chains that had economic impacts. So how do we combat the risks? For the past six years, the National Cyber Security Centre (NCSC) has released an annual review covering insights and findings for the previous year and what to expect for the future. See the full 2022 review here.
In this blog, the focus will be on one of the highlighted threats in NCSC’s Annual Report Review: supply chain attacks. Supply chain attacks impact both hardware and software, and due to the compromise of some high-profile suppliers, even when procuring from an official source, you could be at risk. We will also break down the impact various impacts cyber threats have on supply chains and provide examples of how other organisations dealt with these types of attacks.
In addition to more conventional risks, such as being supplied counterfeit goods or misrepresented quantities, there can be more malicious intent. With a global supply chain, the risk of nefarious tampering of products and equipment manufactured around the world has been demonstrated to be real.
One of the more prominent cyber supply chain incidents occurred several years ago with a large computer manufacturer, ASUS. The corporation was the victim of a supply chain attack that distributed malware to tens of thousands of ASUS computers around the world. To facilitate this attack, hackers gained access to ASUS’s servers and a valid signing certificate, which was then used to push the hacked updates out to ASUS computers worldwide. This supply chain attack was similar in some ways to the CCleaner supply chain attack of 2017, when the official download of the free versions of CCleaner was found to contain a malicious payload.
More recently, the SolarWinds’ Orion IT management tool was attacked, allowing hackers access to as many as 18,000 systems. What is becoming increasingly concerning is not just the volume of attacks, but how tools used by developers are being targeted. In 2021, Codecov suffered a supply chain attack that enabled the attackers to harvest Codecov customers' credentials, in 2015 a hacked version of Apple’s XCode was distributed and in 2019 a hacked variant of Microsoft’s Visual Studio was circulating.
The experts at ULTRA Intelligence & Communications expect to see the number of supply chain attacks to continue to increase. Rather than trying to attack a hard target it may be easier to infiltrate one of their suppliers, with the added bonus that one supplier could impact multiple hard targets. The solution to supply chain attacks is not simple and cannot be addressed purely by technology. The procurement process must also be assessed which can be a daunting prospect. Fortunately, there are several processes and initiatives in existence to assist with this, such as the Defence Cyber Protection Partnership (DCPP) (link), the Government supplier assurance framework (link), and ISO 28000 (link). The link here is also for the NCSC’s supply chain security guidance to help you have a clearer picture of what the future of supply chain protection looks like.