The recent attack through the US IT service provider Kaseya clearly shows how impactful a supply chain attack can be.
The attackers used a previously undetected security issue (the “zero-day” vulnerability) in a service provider’s maintenance tool to encrypt data on presumably thousands of computers. And the far-reaching consequences affected many further companies, including Coop, a supermarket chain. Due to payment-processing problems, just five of Coop’s nearly 800 stores in Sweden were able to open one weekend.
According to the heise online news service, the attackers demanded a total of USD 70 million – a record amount – to unlock all the data on all the affected devices. Because the FBI reportedly handled the negotiations, the attack received an unusual amount of media attention, although the problem itself wasn‘t entirely new. Last year, for example, a backdoor was installed on the systems belonging to up to 18,000 users of the SolarWinds Orion network management platform.
Attacks that take place through IT service providers such as software manufacturers are increasingly common. The goal in these cases is to manipulate the manufacturer’s system or software so that it can be used to spread malware. Then attackers can target customers through channels such as an infected upgrade. Because they rely on such mechanisms, strikes like these are sometimes referred to as “supply chain attacks.” Customers have difficulty detecting the infiltration because the infected update is rolled out by a verified (and presumably secure) manufacturer. In fact, however, attackers are using the software manufacturer as a multiplier to infect as many victims as possible. After all, if a system is widely used an infected update can attack an enormous number of systems.
What can software users and customer do to protect themselves from attacks like these? Our CyberCompare experts recommend taking four basic steps:
1. Customers should ensure that they implement strict guidelines on code integrity and only obtain software from trustworthy sources. Managing third-party risk is fundamental: every supplier should undergo a strict security review. Companies should also evaluate the risk of a supply chain attack. It helps to assess how much different business operations depend on a particular software or service and which alternatives could be used in an emergency.
2. Endpoint protection should be used to detect and eliminate suspicious activity on end-user devices.
3. Companies should reduce their dependence on individual suppliers so that if the worst happens they can turn to an alternative or at least contain the attack’s impact to specific business units or processes.
4. Actions (such as network segmentation) should be taken to increase cyber resilience overall.
CyberCompare can support your company in taking these steps:
– Based on our experience in the Bosch Group, we can help you to develop appropriate purchasing guidelines for better protection from risk due to your suppliers.
– Our comparison platform also equips us to recommend an endpoint protection provider who meets your needs and to find alternative or supplemental solutions for existing systems.
– Of course, the providers we recommend must meet the highest security standards that minimize the threat of supply chain attacks.
The perpetrators behind both direct attacks and attacks conducted through multipliers are well organized, highly structured criminal gangs – so protective measures require regulatory authorities and companies to work together closely. Regulators are increasingly discussing whether to outlaw payment of ransoms in order to reduce the incentives for attacks in the long term. But companies should also take their own precautions today. One first step toward greater security is evaluating where they stand. We are happy to support you to do so with an independent assessment of your IT and OT security. Our CyberCompare diagnosis helps to see how your company’s security situation stands up against an industry benchmark.
Just e-mail us (mail us) or give us a call (+49 711 811-91494) we’ll be happy to provide you with more information on our diagnosis. Alternatively, you can use our diagnostic tool for an initial check of your cyber risk profile.