According to the European Union Agency for Cybersecurity (ENISA), supply chain attacks are projected to quadruple by the end of 2021 as compared to last year. Based on the research, ENISA observed that the attacks are increasing in numbers and sophistication. 66% of the supply chain attacks also focus on the supplier’s code, and strong security protection alone is no longer enough for organisations.
This report aims at mapping and studying the supply chain attacks that were discovered from January 2020 to early July 2021. Based on the trends and patterns observed, supply chain attacks increased in number and sophistication in the year 2020 and this trend is continuing in 2021, posing an increasing risk for organizations. It is estimated that there will be four times more supply chain attacks in 2021 than in 2020. With half of the attacks being attributed to Advanced Persistence Threat (APT) actors, their complexity and resources greatly exceed the more common nontargeted attacks, and, therefore, there is an increasing need for new protective methods that incorporate suppliers in order to guarantee that organizations remain secure.
This report presents the Agency’s Threat Landscape concerning supply chain attacks, produced with the support of the Ad-Hoc Working Group on Cyber Threat Landscapes1 . The main highlights of the report include the following:
- A taxonomy to classify supply chain attacks in order to better analyse them in a systematic manner and understand the way they manifest is described.
- 24 supply chain attacks were reported from January 2020 to early July 2021, and have been studied in this report.
- Around 50% of the attacks were attributed to well-known APT groups by the security community.
- Around 42% of the analysed attacks have not yet been attributed to a particular group.
- Around 62% of the attacks on customers took advantage of their trust in their supplier.
- In 62% of the cases, malware was the attack technique employed.
- When considering targeted assets, in 66% of the incidents attackers focused on the suppliers’ code in order to further compromise targeted customers.
- Around 58% of the supply chain attacks aimed at gaining access to data (predominantly customer data, including personal data and intellectual property) and around 16% at gaining access to people.
- Not all attacks should be denoted as supply chain attacks, but due to their nature many of them are potential vectors for new supply chain attacks in the future.
- Organizations need to update their cybersecurity methodology with supply chain attacks in mind and to incorporate all their suppliers in their protection and security verification.
Tim Mackey, Principal Security Strategist, at Synopsys Cybersecurity Research Centre (CyRC) shares his thoughts on the findings of the research. Traditionally, cybersecurity incidents have involved direct attacks between malicious actors and their victims. The Threat Landscape for Supply Chain Attacks report highlights an important shift in cybercriminals’ tactics – indirectly targeting the their victims through the software of their trusted third-party suppliers and service providers.
With businesses becoming increasingly reliant on complex software supply chains, this is an important trend to follow, and one that should be factored into any cyber-risk management plans. The importance of this is underscored in the report which found that 2/3 of the software suppliers were unaware that they’d been compromised.
Considering the importance of application security practices in most software companies, this lack of awareness points to a gap in process. A gap where threat models likely need revising to account for how software supply chains work and one where an objective review of security initiatives such as the taxonomy maintained by the BSIMM community.