While the numbers aren’t in yet for the largest supply chain cybersecurity attacks in 2024, a report by Data Theorem showed that 91% of organizations experienced a software supply chain attack last year.
Here are the top five attacks of 2023, according to Cisco.
1. Okta (October 2023):
Okta, a leading provider of identity and authentication management services, disclosed a significant breach where threat actors gained unauthorized access to private customer data through its support management system. Despite security alerts, the breach went undetected for weeks, highlighting the vulnerability of widely used services like Okta to third-party supply chain risks.
2. JetBrains (September/October 2023):
In a concerning development, the SolarWinds hackers exploited a critical vulnerability in JetBrains TeamCity servers, potentially enabling remote code execution and administrative control. This incident underscores the severity of supply chain attacks, as even trusted tools like JetBrains can be compromised, posing significant risks to organizations relying on their software.
3. MOVEit (June 2023):
The MOVEit Transfer tool, renowned for securely transferring sensitive files, was targeted in a supply chain attack affecting over 620 organizations, including major entities like BBC and British Airways. Linked to the ransomware group Cl0p, this attack underscores the urgency of promptly patching vulnerabilities and securing web-facing applications to mitigate supply chain risks effectively.
4. 3CX (March 2023):
The desktop apps of 3CX, a widely-used communications software provider, fell victim to a supply chain attack, enabling attackers to execute malicious activities within victims' environments. The fact that the attack was signed with valid 3CX certificates suggests a compromised build environment, highlighting the importance of stringent security measures in software supply chains.
5. Applied Materials (Feb 2023):
A cyber-attack targeting a business partner of semiconductor giant Applied Materials disrupted shipments, potentially resulting in losses of up to $250 million. This incident underscores the far-reaching consequences of supply chain attacks, impacting critical industries and causing significant financial harm.
To help companies address this growing issue, the National Institute of Standards and Technology issued a best practices paper. The agency notes that “cyber supply chain risks touch sourcing, vendor management, supply chain continuity and quality, transportation security and many other functions across the enterprise."
What follows is an excerpt from the NIST report:
Cyber Supply Chain Security Principles
1. Develop your defenses based on the principle that your systems will be breached. When one starts from the premise that a breach is inevitable, it changes the decision matrix on next steps. The question becomes not just how to prevent a breach, but how to mitigate an attacker’s ability to exploit the information they have accessed and how to recover from the breach.
2. Cybersecurity is never just a technology problem, it’s a people, processes and knowledge problem. Breaches tend to be less about a technology failure and more about human error. IT security systems won’t secure critical information and intellectual property unless employees throughout the supply chain use secure cybersecurity practices.
3. Security is security. There should be no gap between physical and cybersecurity. Sometimes the bad guys exploit lapses in physical security in order to launch a cyber attack. By the same token, an attacker looking for ways into a physical location might exploit cyber vulnerabilities to get access.
Key Cyber Supply Chain Risks
Cyber supply chain risks covers a lot of territory. Some of the concerns include risks from:
• Third-party service providers or vendors – from janitorial services to software engineering -- with physical or virtual access to information systems, software code, or IP.
• Poor information security practices by lower-tier suppliers.
• Compromised software or hardware purchased from suppliers.
• Software security vulnerabilities in supply chain management or supplier systems.
• Counterfeit hardware or hardware with embedded malware.
• Third-party data storage or data aggregators.