There have been several examples of major global supply chains being disrupted due to ransomware attacks, such as the one affecting the automotive supply chain in February 2022. However, whilst attacks to physical supply chains aren’t new, the number of attacks on software supply chains specifically are increasing, particularly as the world is becoming more connected and companies are dependent on many third party technology providers – often using open source software – in order to conduct their business.
What is a software supply chain attack?
A software supply chain attack is when a malicious cyber actor infiltrates a software vendor’s network, and compromises the software with malicious code before it is sold to customers. This will then comprise the data or systems of anyone or company who uses the infected software.
How can a software supply chain attack occur?
According to the National Institute of Standards and Technology (NIST) in the US there are three common ways these occur.
- Hijacking updates. Software vendors routinely send updates (e.g., to address bugs and security issues) to customers via centralised servers. Threat actors can infiltrate the vendor’s network and hijack an update by either inserting malware or granting them control over the software’s normal functionality.
- Undermining codesigning. Codesigning is used to validate the identity of the code’s author and the integrity of the code. Cyber criminals can undermine this in several ways (e.g. by self-signing certificates) which enables them to hijack software updates by impersonating a trusted vendor.
- Compromising open-source code. This is when threat actors insert malicious code into publicly accessible code libraries which developers unknowingly add to their own third-party code. This can also affect privately owned software as developers regularly leverage blocks of open-source code in their products.
How can you protect your business?
It’s important that security teams consider the risks that working with third-party technology vendors, open-source software or even open-source code, can bring. As a result, companies should take a cybersecurity supply chain risk management (C-SCRM) approach, and there are several ways to do this. For example, establishing a formal C-SCRM programme, understanding the organisation’s supply chain, collaborating with key suppliers and continuously assessing and monitoring throughout the supplier relationship.