A supply chain attack is when a criminal compromises a trusted vendor to commit cyberattacks across a supply chain. They can infect shared infrastructure with malware, or send convincing phishing attacks from the trusted vendor.
While you are proactively working to keep your network secure, it’s ultimately only as safe as the vendors you trust and work with. Outside organizations with an existing relationship with your company could turn into the entry point for a cyberattack.
Our research shows that companies have an 82% chance of receiving a vendor email compromise (VEC) attack each week. It's crucial for organizations to learn how supply chain attacks work, how to protect your organization from supply chain attacks, and how Abnormal Security can help stop them.
How Do Supply Chain Attacks Work?
Supply chain attacks involve compromising an organization and then targeting their trusted partners. They succeed because they’re extremely difficult to detect. Almost all organizations work with outside partners or third-party vendors. These vendors all make up the supply chain of an organization, and there is an implicit level of trust with data sharing to functionally operate. That’s where supply chain attacks happen.
These attacks are particularly insidious because they exploit a trusted relationship between a company and its third-party vendors. Criminals will compromise an outside vendor and subsequently leverage the existing relationship to trick partners into interacting with malicious emails that contain fake invoices, credential phishing, or malware. They can also exploit unsecured networks and servers to hide malware in shared build and update infrastructure.
How Do Supply Chain Attacks Happen?
There are two primary types of supply chain attacks in cybersecurity:
Software supply chain attacks, where attackers target software developers and suppliers. If they find a weak point, they can inject malware into a trusted app or program that is used across an entire supply chain of vendors.
Social engineering supply chain attacks, where attackers compromise a vendor account and use it to send convincing phishing attacks.
In software supply chain attacks, a cybercriminal accesses unsecured networks, servers, and apps where they can change source code to hide malware. This infected code is unknowingly shipped by software developers and used by partners in their supply chain.
Besides looking for cybersecurity vulnerabilities, criminals often use social engineering tactics to exploit organizational relationships via email to gain access to a network.
Vendor email compromise (VEC): A criminal gains unauthorized access to an email account and uses it to target trusted partners. It often works because the malicious email comes from a vendor that you trust or have worked with previously. This can be difficult for organizations to spot since a known email address is used to make the fraudulent request.
Email spoofing: A type of phishing attack using an email address that looks similar to the real organization the criminal is mimicking. It tricks the recipient into thinking the message originates from a trusted contact.
When a criminal uses one of these attacks, they’ll ask a partner to pay an invoice or update billing information. The business, thinking the email was sent from a trusted partner, will oblige. The criminal then fraudulently receives funds.
Criminals also use exploited supply chains to spread malware through phishing emails. Supply chain attacks are highly sophisticated, and it’s difficult to identify messages from trusted email accounts as suspicious.
Examples of Supply Chain Attacks
The SolarWinds supply chain attack is probably the most recognized supply chain attack.
More than 18,000 public and private organizations used SolarWinds Orion, and they all received malicious code hidden in a routine update. Even U.S. government agencies with the strongest cybersecurity tools and services were victims. The SolarWinds attack showed that even robust cybersecurity systems can have a hard time detecting compromised vendors.
Solarwinds would attribute "...a compromise of credentials and/or access through a third-party application via an at the time zero-day vulnerability," as likely attack vectors.
Some other notable supply chain attack examples include:
Colonial Pipeline: One compromised password of a virtual private network account was all it took to launch a ransomware attack that resulted in the shutdown of a gasoline pipeline system and a $4.4 million ransom paid to criminals.
United States Agency for International Development (USAID): Hackers gained access to USAID's account with Constant Contact, an email marketing company, and used the account to send emails with malicious links to more than 3,000 accounts.
Kaseya: Kaseya, a software company for managed service providers, was exploited by hackers and infected over 1,000 customers with ransomware. The hackers asked for a $70 million ransom to restore the system.
How Can You Protect Against a Supply Chain Attack?
Stopping supply chain attacks requires modern email security. Since social engineering supply chain attacks usually start through email, detecting them is critical.
Traditional email security struggles to spot compromised vendor accounts. Protocols like reputation checks and attachment scans aren't enough to protect employees' from supply chain attacks.
This email can bypass standard email security, even though it's from a compromised vendor.
In this example, Abnormal Security detected suspicious signals of a VEC attack that traditional email security misses:
Attached invoices containing different bank numbers and routing numbers than previous invoices.
Urgent messages asking for payment immediately.
The sender has never interacted with the recipient before.
Suspicious financial requests like irregular timing of invoices.
Abnormal Security can recognize social engineering tactics that average security protocols don't notice. This protects your employees from tricky phishing emails sent by a compromised vendor account. It monitors for potential red flags like:
Display name spoofing.
Content and tone with unnecessary urgency or unusual financial requests.
Suspicious links and attachments.
Repeated requests to multiple employees to pay an invoice.