Supply Chain Attack

What is a Supply Chain Attack?

A supply chain attack is a strategy in which the attacker compromises not the end target directly, but one of its suppliers - a software vendor, cloud service provider, service company or hardware component manufacturer. The compromised software or service is then delivered to the target organisation through normal distribution channels.

The SolarWinds attack (2020) is a textbook example - the attacker (APT29/Cozy Bear) injected malicious code into an update for the Orion platform, which was downloaded by approximately 18,000 organisations, including US government agencies. The Kaseya attack (2021) exploited an IT management platform to distribute ransomware to hundreds of companies. The NotPetya attack (2017) spread through the Ukrainian tax accounting software M.E.Doc.

Supply chain attacks take various forms: compromising code repositories (e.g. malicious npm/PyPI packages), manipulating software build processes (CI/CD pipeline compromise), compromising code-signing certificates, modifying device firmware or infiltrating managed service providers (MSPs).

Why does it matter?

Supply chain attacks bypass traditional defences because the malicious code arrives from a trusted source - a legitimate update, digitally signed software, a verified vendor. Defence requires vendor risk management, software integrity verification, segmentation of vendor access and monitoring for unusual third-party software activity. NIS2 and DORA explicitly require supply chain risk assessment.

Related topics

• APT
• Ransomware
• Lateral Movement