The Weak Link: Recent Supply Chain Attacks Examined

Supply chain attacks are a growing and increasingly sophisticated form of cyber threat. They target the complex network of relationships between organizations and their suppliers, vendors, and third-party service providers. These attacks exploit vulnerabilities that emerge due to the interconnected nature of digital supply chains, which often span multiple organizations, systems, and geographies.  

By compromising a trusted component or software within the supply chain, malicious actors can infiltrate the target organization, circumventing traditional security defenses and catching victims off guard. As the world becomes more reliant on global, interconnected digital supply chains, understanding the risks and implications of a supply chain attack is crucial for maintaining security and resilience.  

Supply chains are often associated with nation-state sponsored groups aiming to conduct cyber espionage or disrupt critical infrastructure, but it is essential to recognize that recent supply chain attacks are not solely the domain of such groups. Financially motivated cybercriminals and hacktivist groups have also adopted this attack vector to achieve their objectives. These malicious actors exploit vulnerabilities in supply chain vendors to infiltrate targeted organizations, propagate malware, and gain unauthorized access to sensitive information.  

What is a supply chain attack?

In this blog we will focus on third-party cyber attacks and the recent spike in “third-party breached and update tampering attacks”. These attacks are a type of supply chain attack that involves targeting a supplier or vendor providing products or services to an organization. These suppliers or vendors may have access to the organization’s network or systems as part of their service delivery, and attackers can exploit this access to gain unauthorized access to sensitive information or compromise critical systems. 

Third-party supplier attacks can take several forms, including: 

1. Credential theft: Attackers may steal login credentials of the supplier or vendor to gain access to the organization’s systems. This can be done through phishing attacks, social engineering, or by exploiting vulnerabilities in the supplier’s systems. 

2. Software or firmware tampering: Attackers may inject malicious code into the software or firmware used by the supplier, which can then be used to compromise the organization’s systems. This can be done during the development process, or by compromising the supplier’s software distribution channels. 

3. Data theft: Attackers may steal sensitive data from the supplier’s systems, which can include data related to the organization’s operations or its customers. 

4. Denial of service: Attackers may launch a distributed denial-of-service (DDoS) attack against the supplier’s systems, which can disrupt the supplier’s operations and affect the organization’s ability to access critical services. 

Notable Recent Supply Chain Attacks 

During the last six months, we’ve witnessed a spike in supply chain cyber attacks affecting an enormous number of vendors. Here are the major incidents that took place recently:

1. June 2023 – MOVEit Supply Chain Attack

2. March 2023 – 3CX Supply Chain Attack

3. February 2023 – Applied Materials Supply Chain Attack

4. December 2022 – PyTorch Framework Supply Chain Attack

5. December 2022 – Fantasy Wiper Supply Chain Attack

June 2023 – MOVEit Supply Chain Attack

In June, the MOVEit supply chain attack  (CVE-2023-34362) targeted users of the MOVEit Transfer tool , which is owned by US company Progress Software. MOVEit is designed to transfer sensitive files securely and is particularly popular in the US.

The attackers have so far managed to compromise more than 620 organizations, including the BBC, Zellis, British Airways, Boots, and Aer Lingus. Personal identifiable information (PII) data that was leaked includes staff addresses, IDs, dates of birth, and national insurance numbers. A patch has since been released, and the US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning, urgently recommending that users download the patch to prevent further breaches.

Ransomware group Cl0p has been linked to the attack. The attackers used exposed web interfaces (EWIs) to cause significant damage. The web-facing MOVEit application was infected with a web shell called LEMURLOOT. This was then used to steal data from MOVEit Transfer databases.

EWIs can pose a significant security threat. They serve as gateways to internal or confidential services, and if left openly accessible, these interfaces may be manipulated by potential attackers to extract sensitive data or infiltrate integral systems. To mitigate this risk, EWIs need to be detected and timely alerts need to be issued.

Ernst & Young also fell victim to the attack. On August 9th Ernst & Young sent out a letter to impacted Victims. In the letter they stated that they learned about the incident on May 31st and immediantly commenced an investigation into the issue’s scope. According to EY’s letter to the Maine Attorney General, 30,210 individuals were exposed in the attack, including credit card numbers, government ID numbers and more.

This attack shows how quickly a supply chain attack can escalate and how smaller vendors can have a massive impact on organizational giants such as the BBC and British Airways.

March 2023 – 3CX Supply Chain Attack

In March, the 3CX supply chain attack targeted Windows and macOS desktop apps, raising concerns about the integrity and security of the software’s supply chain. The attackers managed to compromise the apps by bundling an infected library file, which subsequently downloaded an encrypted file containing Command & Control information. This enabled the attackers to perform malicious activities within the victim’s environment. 

The fact that the malicious versions of the apps were signed with valid 3CX certificates suggests that the company’s build environment may have been compromised. This resulted in the distribution of tampered apps directly from 3CX’s download servers. This highlights the vulnerability of software supply chains, as even a seemingly minor breach can have far-reaching consequences for customers who trust and rely on the software. 

With links to the North Korean state-sponsored APT Lazarus Group, the attack demonstrates the increasing sophistication and persistence of threat actors targeting supply chains to infiltrate organizations and gain access to sensitive information. 

February 2023 – Applied Materials Supply Chain Attack

In February, a recent supply chain cyber attack  targeted a business partner of semiconductor company Applied Materials disrupted shipments and was expected to cost $250 million in Q1 2023 . The company has not identified the affected partner, but it is speculated that industrial equipment supplier MKS Instruments may have been the breach point, as they announced a ransomware attack on February 3 and had to reschedule their fourth-quarter earnings call. 

Applied Materials referred to the targeted company as a “major” supplier. MKS Instruments was still  recovering from the attack at that time, which impacted its Vacuum Solutions and Photonics Solutions divisions. This reportedly caused delays in processing and shipping orders.  

December 2022 – PyTorch Framework Supply Chain Attack

On December 2022, the open-source machine learning framework PyTorch experienced a supply chain attack in which nightly builds were injected with malware. The attack was made possible by compromising the Python Package Index (PyPI) code repository of Torchtriton, a dependency of PyTorch. The malicious binary was designed to execute when the Triton package was imported, uploading sensitive information from the victim’s machine. The issue only affected the nightly builds of PyTorch on Linux, and stable package users were not impacted. 

The PyTorch maintainers have removed Torchtriton as a dependency, replaced it with Pytorch-Triton, and created a dummy Pytorch-Triton package on PyPI to prevent similar attacks. They have also removed all nightly packages dependent on Torchtriton from their package indices and informed the PyPI security team of the incident. 

December 2022 – Fantasy Wiper Supply Chain Attack

An Iran-linked Advanced Persistent Threat (APT) actor, Agrius, deployed a new wiper called Fantasy in attacks against entities in South Africa, Israel, and Hong Kong. Active since at least 2020, Agrius primarily targets victims in Israel and the UAE. The group was previously known for using the Apostle wiper disguised as ransomware.  

The supply chain attack involved an Israeli software developer that provides a software suite to organizations in the diamond industry. Agrius, the threat actor, targeted the software developer and managed to infect the developer’s customers with the new Fantasy wiper malware. This type of attack is considered a supply chain attack because the threat actor compromised the software developer’s product, using it as a conduit to infect the end-users, who were customers of the software developer. 

The attack was relatively short, lasting less than three hours, but it affected five organizations, including a diamond wholesaler, an HR consulting firm, an IT support services provider in Israel, a South African organization from the diamond industry, and a jeweler in Hong Kong. The Fantasy wiper was named similarly to the legitimate software and was executed on all victim systems from the Temp directory within a 2.5-hour timeframe. 

Impactful Supply Chain Attacks from Recent Years 

In the realm of software development and maintenance, dependencies, CI/CD pipelines, and software updates are essential components that streamline the development process and facilitate the rapid delivery of updates and new features. However, these components also present opportunities for attackers to exploit the complex web of dependencies, infiltrate CI/CD systems, and compromise update mechanisms. By targeting these critical aspects, malicious actors can potentially gain access to multiple projects, applications, and sensitive systems, effectively bypassing traditional security measures and delivering malicious payloads under the guise of legitimate updates. 

December 2020 – SolarWinds Supply Chain Attack

The SolarWinds attack, also known as the SolarWinds supply chain attack, was attributed to a Russian state-sponsored hacking group known as APT29 or Cozy Bear. This group is believed to be linked to the Russian Foreign Intelligence Service (SVR). The attack, discovered in December 2020, involved the compromise of SolarWinds’ Orion software, which was subsequently used to distribute a malicious backdoor called SUNBURST to numerous organizations, including U.S. government agencies and private companies. The attackers leveraged this backdoor to gain access to sensitive data, conduct cyber espionage, and maintain a persistent presence within the targeted networks. 

April 2021 – CodeCov Supply Chain Attack

The perpetrator of the Codecov attack has not been definitively identified or attributed to a specific group or nation-state. However, given the nature of the attack, which involved compromising the Bash Uploader script used by Codecov and gaining unauthorized access to sensitive information in customer environments, it is likely that an advanced threat actor was responsible. The attack was discovered in April 2021, and the investigations that followed revealed that the breach had gone undetected for several months. As of now, there isn’t enough publicly available information to attribute the attack to a specific group or nation-state with certainty. 

July 2021 – Kaseya Attack Supply Chain Attack

The Kaseya supply chain attack, which occurred in July 2021, was attributed to a Russia-based cybercriminal group known as REvil or Sodinokibi. REvil is a notorious ransomware-as-a-service (RaaS) group that has been responsible for multiple high-profile ransomware attacks against various organizations worldwide. In the Kaseya incident, the group exploited a vulnerability in the company’s VSA software to distribute ransomware to numerous managed service providers and their clients, resulting in significant disruptions and financial losses for the affected organizations. 

Detecting & Mitigating Supply Chain Attacks

Supply chain cyber attacks pose a significant risk to organizations of all sizes and industries. By understanding the nature of these threats and implementing appropriate security measures, organizations can better protect themselves against the devastating consequences of a successful supply chain attack. As cyber threats continue to evolve and become more sophisticated, a proactive and comprehensive approach to supply chain security is crucial for maintaining the integrity and resilience of our interconnected digital ecosystem. 

To effectively mitigate these risks, organizations must adopt a proactive and comprehensive approach to supply chain security. This includes continuously monitoring and assessing the security posture of suppliers, vendors, and third-party service providers, as well as implementing robust security controls and incident response plans. Threat intelligence plays a crucial role in this process, enabling organizations to stay informed of emerging threats, vulnerabilities, and attack techniques, and to adapt their security strategies accordingly. By leveraging threat intelligence and fostering a culture of security awareness, organizations can better protect their supply chains and reduce the potential impact of future attacks. 

Learn about Cyberint’s latest Supply Chain Intelligence module here.