Why Hackers Launch Supply Chain Cyber Attacks

As the cyber security postures, especially of large global corporations as well as of highly regulated entities such as operators of critical national infrastructures are getting stronger and more difficult to penetrate, threat actors are increasingly looking for the weakest links in their targets’ security postures. These are often to be found in smaller and less secure third-parties. This is why smaller suppliers, who often lack the internal resource and expertise, and are easier to penetrate, often become the target of such attacks, especially by state-sponsored hacking groups.

Given the verified threat of unauthorised access to files and opportunities for data exfiltration, any business or personal data held or processed by other organisations on our behalf may be at risk. 

But what are the different motivations that lead threat actors to engage in supply chain attacks. This article explores the most common, so that we can better understand our adversaries and plan accordingly.

Key Terms Defined

For clarity, here are some important terms used throughout this article:

• Supply Chain Attack: A cyber attack that targets less secure elements within an organisation’s supply chain—such as vendors, suppliers, or subcontractors—to gain indirect access to a primary target’s systems or data.
• Third Party: A direct supplier or vendor that provides goods or services to an organisation.
• Fourth Party (and beyond): The suppliers and subcontractors that support a third party, often less visible but still posing significant security risks.
• State-Sponsored Threat Actors: Cyber attackers backed by a nation state, often engaging in espionage, sabotage, or disruption for political or strategic objectives. These actors tend to have significant resources and can execute highly sophisticated campaigns.

‍

What Motivates Threat Actors?

Threat actors want our money

First and most prominently of course, threat actors are often principally driven by financial motives. Whether cyber criminals, especially ransomware gangs, or state-sponsored threat actors, especially those affiliated with financially weaker rogue states such as North Korea and Iran, cyber attacks have become a thriving global economy in its own right. If it were measured as a country, cyber crime would be the world’s third-largest economy after the US and China.

Threat actors want our data

Often for the same reason, threat actors want our data. This is the principal way they can make money from a cyber attack. Attackers want our data either in order to sell them on the Dark Web or for corporate or government espionage purposes. So the motivation for data theft incidents through suppliers are either driven by financial incentives, or by the goal to obtain valuable intelligence such as proprietary data on advanced technologies and other innovations from competitors or rival states. Data from the European Union Agency for Cybersecurity (ENISA) shows that the majority of supply chain attacks are designed to steal data.  

Threat actors want to cause business disruption

Increasingly, however, many threat actors are no longer just motivated by financial gains, or even by the intent of obtaining information. Especially state-sponsored attacks, which have been increasing steadily since the outbreak of the war in Ukraine, are often aimed at causing business disruption or even at destroying the systems they penetrate. This is what the NotPetya attack, for example, demonstrated.

Threat actors want to damage or destroy physical infrastructure

Less prominent, but an equally alarming occurrence are the often very real physical effects of cyber attacks against infrastructure. The Refahiye pipeline explosion in Turkey in 2008, for example, that took the entire Baku-Tbilisi-Ceyhan pipeline out of commission for 20 days is believed to have been caused by a deliberate cyber attack. While Turkey subsequently denied that a cyber attack was to blame for the explosion, in an article that appeared on Bloomberg in December 2014, the authors Jordan Robertson and Michael Riley claimed that “hackers had shut down alarms, cut off communications and super-pressurized the crude oil in the line, according to four people familiar with the incident’”.

There was also the famous Stuxnet cyber attack against the Iranian nuclear programme, which resulted in the destruction of numerous Iranian nuclear centrifuges, and which has become known as Operation Olympic Games. The attack utilised a worm, a link file and a programmable logic controller rootkit, and targeted the industrial control systems of Siemens. 

Threat actors want to infiltrate our systems

Since there is the potential for an attacker to move from a compromised software onward into connected systems, they can also be motivated by penetrating the systems of specific organisations and bodies for a longer-term future plan. This is again particularly likely to be the case for threat actors affiliated with nation states. 

In the context of the SolarWinds attack, for example, which affected up to 18,000 clients of the company, including many federal government agencies in the US, it was discovered that Russian attackers had breached and then lay dormant in government systems for weeks, if not months. They upgraded user privileges and created new ones in the systems they had breached and were able to monitor internal emails by government agencies as well as extract sensitive information from their targets. This onslaught against US Government departments reportedly affected, among others, the US Treasury and Commerce departments as well as the Department of Homeland Security and the Pentagon.

Real-World Supply Chain Cyber Attacks: Recent Examples

Supply chain cyber attacks have made headlines repeatedly in recent years, demonstrating their growing threat to organisations worldwide.

• SolarWinds (2020): Perhaps the most infamous supply chain breach, Russian state-sponsored hackers infiltrated SolarWinds’ software updates, compromising over 18,000 customers, including numerous US government agencies. This attack allowed prolonged, stealthy access to sensitive data and internal systems.
• Kaseya (2021): A ransomware attack exploited vulnerabilities in Kaseya’s IT management software, impacting hundreds of businesses globally by encrypting data and demanding ransoms, all via trusted vendor software.
• MOVEit Transfer (2023): Exploiting a zero-day vulnerability, attackers breached MOVEit Transfer software used by numerous vendors. This breach exposed sensitive client data across hundreds of organisations, many of which did not directly use the software themselves.

These examples show how attackers exploit trusted third or fourth parties to bypass direct security measures, amplifying risk across entire supply chains.

Actionable Defence Strategies Against Supply Chain Attacks

Protecting your organisation from supply chain cyber threats requires a comprehensive and proactive approach. Here are key strategies to implement:

• Continuous Monitoring and Threat Intelligence
  Deploy tools and processes that continuously monitor your third and fourth-party vendors for security posture changes and emerging threats. Leverage threat intelligence feeds to stay ahead of new attack techniques targeting supply chains.
• Rigorous Access Controls
  Limit vendor access to only the systems and data they absolutely need. Use the principle of least privilege and enforce strong authentication methods such as multi-factor authentication (MFA) to reduce the risk of compromised vendor credentials being exploited.
• Thorough Vendor Risk Assessments and Audits
  Conduct regular security assessments of your suppliers and subcontractors, prioritising those with access to sensitive data or critical systems. Include questionnaires, on-site audits, and penetration testing where feasible to verify security controls.
• Supply Chain Mapping and Visibility
  Map your entire supply chain beyond your direct vendors to understand potential risk concentrations and dependencies. Tools like Risk Ledger provide networked visibility into these extended relationships, enabling faster response to incidents.
• Incident Response Collaboration
  Develop incident response plans that include your supply chain partners. Establish clear communication channels and protocols so that if one party is compromised, others can react swiftly to contain and mitigate the damage.

‍

Conclusion: How this information helps cyber security professionals

Understanding the motivations of threat actors provides cyber security and TPRM professionals with crucial insights that can significantly enhance their risk management strategies. Here’s how this knowledge is beneficial and actionable:

1. Tailored Defence Strategies: By knowing why threat actors target specific parts of the supply chain, cyber security professionals can tailor their defence strategies accordingly. For instance, if the primary motivation is financial gain, heightened security measures can be implemented around sensitive financial data and transactions.
2. Prioritising Resources: Understanding the motives helps in prioritising security resources and efforts. If data theft is a significant threat, then more resources can be allocated to data encryption, secure storage, and stringent access controls.
3. Incident Response Planning: Knowledge of potential motives aids in crafting more effective incident response plans. For example, if business disruption is a primary goal, rapid recovery and continuity plans can be emphasised.
4. Enhanced Threat Intelligence: Recognising the varied motivations enhances threat intelligence capabilities. Professionals can better anticipate the types of attacks and methodologies likely to be employed, leading to improved threat detection and prevention mechanisms.
5. Supplier Risk Assessments: Insights into threat actor motivations highlight the importance of thorough supplier risk assessments. TPRM teams can identify which suppliers are more likely to be targeted, and to what end, and ensure they have strong security controls in place specifically related to their particular risk areas.
6. Improved Collaboration and Communication: Understanding the motives behind attacks fosters better communication and collaboration with third-party suppliers. It emphasises the need for shared security practices and transparent communication about potential threats and mitigation measures.

Ultimately, this knowledge enables a more proactive security posture. By anticipating threat actor behaviours and intentions, cybersecurity professionals can stay a step ahead, implementing measures that preemptively address potential vulnerabilities.

By leveraging the understanding of threat actor motivations, cyber security and third-party risk management professionals can craft more resilient and adaptive security frameworks, ultimately safeguarding their organisations against an increasingly complex threat landscape.

‍

Why Hackers Launch Supply Chain Cyber Attacks - FAQs

What are cyber supply chain attacks?

Cyber supply chain attacks occur when threat actors target less secure vendors, suppliers, or service providers within an organisation’s supply chain to gain indirect access to the primary target’s systems or data. Instead of attacking an organisation directly, attackers exploit vulnerabilities in trusted third or fourth parties, allowing them to bypass conventional security controls and infiltrate critical systems.

What are the top 5 supply chain cyber risks?

1. Third- and Fourth-Party Vulnerabilities: Weak security controls or outdated software in suppliers or subcontractors.
2. Unauthorised Access: Compromised vendor credentials or excessive permissions leading to data breaches.
3. Software and Hardware Tampering: Malicious code or hardware implanted during development or distribution.
4. Lack of Visibility: Poor mapping of extended supply chains, leaving organisations blind to downstream risks.
5. Insufficient Incident Response Coordination: Delays or failures in communicating and reacting to supply chain breaches.

What are the threats to the cyber supply chain?

Threats include ransomware attacks, data exfiltration, espionage, sabotage, and the introduction of malware or backdoors via compromised suppliers. State-sponsored groups often aim to disrupt or damage critical infrastructure, while financially motivated cyber criminals seek ransom payments or valuable data for sale.

Why are supply chain attacks on the rise?

Supply chain attacks are increasing because larger organisations have strengthened their direct cybersecurity defences, prompting attackers to target weaker links in their supply chains. Smaller suppliers often lack sufficient resources or expertise, making them easier entry points. Additionally, the interconnected nature of global supply chains expands the attack surface, and sophisticated threat actors exploit these complex relationships to infiltrate high-value targets indirectly.

‍