In the first article in our series on "Shaping the Future of Supply Chain Cyber Security", our CEO Haydn Brooks sets out the scale of the problem and discuss why and how threat actors are increasingly targeting our corporate supply chains.
In our highly interconnected and digitally transformed global economy, outsourcing has become simpler and more cost-effective than ever. As a result, organisations today increasingly depend on extensive networks of third-party entities, including vendors, service providers, and strategic partners, to support and enhance their core business operations. These range from payroll, legal and pension services to productivity and collaboration software, cloud providers and many others, creating complex ecosystems, often comprising hundreds or even thousands of external relationships.
These corporate supply chains have become integral to the efficient functioning and competitive advantage of modern enterprises and are a powerful driver of growth, but they also bring with it a proliferation of cyber security risks to our own data and systems that can be exploited by threat actors, with often significant financial, legal and operational implications. With supply chain attacks fast becoming the leading cyber security threat, and given a rapidly worsening geopolitical environment, where state-sponsored attacks and cyber warfare operations against our critical national infrastructure are on the rise, securing our complex supply chain ecosystems has become an urgent priority.
Risk Ledger has made it its mission to develop a new and more effective way of securing our supply chains, and for the first time, in a series of four articles, we will reveal why supply chain attacks are pose such a challenge to the cyber security of organisations, why third-party risk management (TPRM), in its current form at least, has not made us more secure, and crucially unveil our 3-stage roadmap for how we can move away from the current, mostly reactive and compliance-driven approach to TPRM, and transition TPRM into the realm of active cyber defence.
In this first article in the series, we explore why supply chain attacks are on the rise, and why threat actors are increasingly using them as their attack path of choice.
Attacks on our corporate and software supply chains have fast become one of the leading cyber threats facing organisations, and can be among the most devastating, as prominent examples such as the SolarWinds (2020), Log4J (2021) or the recent MOVEit Transfer (2023) supply chain attacks attest to. According to the Identity Theft Resource Center, the number of organisations impacted by supply chain attacks has increased by more than 2600 percentage points over the past five years alone, while the European Union Agency for Cybersecurity (ENISA) predicts that by 2030 ‘Supply Chain Compromise of Software Dependencies’ will become the leading cyber threat facing organisations.
In the 2023 MOVEit Transfer attack alone, by exploiting a set of vulnerabilities in Progress Software’s MOVEit file sharing application the Russian state-linked threat actor ClOP impacted over 2500 organisations and 80 million individuals worldwide, including numerous US government agencies, UK institutions and companies such as British Airways, Boots, the BBC and Ofcom.
Or let’s consider the SolarWinds attack of 2020 when threat actors, believed to be associated with Russian intelligence, managed to add a malicious software update to SolarWinds’ Orion, a popular network management system. The attack is said to have affected up to 18,000 clients of SolarWinds worldwide – again including federal US government departments such as Homeland Security, State, Commerce and Treasury, as well as major vendors, such as Microsoft, Intel, and Cisco.
Supply chain attacks can also have potential sector-wide or even systemic implications. Let’s consider the two examples of the ION Trading Technologies and MAERSK. ION Trading Technologies is a provider of digital solutions for electronic trading, pricing and order management, including facilitating the settlement of exchange-traded derivatives, to some of the world’s largest banks, hedge funds and brokerage firms. It counts more than 100 financial services companies among its clients. When ION was hit by a ransomware attack in 2023, this forced its systems offline, resulting in financial institutions suddenly having to manually confirm trades, causing ripple effects and reporting delays across the sector.
But whereas the fallout and impact of the ION Trading Technologies attack was fairly limited, the same can not be said for the impact of the 2017 NotPetya attack affecting the global shipping giant MAERSK. The attack, conducted by a group of Russian hackers called Sandworm and principally directed against Ukraine, exploited a vulnerability in the MeDoc tax accounting software that was used by most businesses in Ukraine. The malware, however, which behaved very differently to the original Petya ransomware and was designed to destroy the systems it infected, soon spread beyond Ukraine.
The malware was so aggressive in fact that after infecting an initial system of Maersk, it quickly spread across all Maersk locations and systems around the world, forcing the company to basically shut down all its operations. The impact of the attack almost meant the end of Maersk, which controlled 76 ports and over 800 vessels around the world at the time, and was involved in one-fifth of global trade. Only by a stroke of luck was Maersk able to completely rebuild its entire IT infrastructure using one remaining unaffected backup retrieved from Ghana in a cloak and dagger-style operation.
Having established the scale and severity of the problem, and the possible fallouts from such attacks, let us now look at the reasons for why supply chain attacks are increasingly becoming the tool of choice for attackers.
Despite the rising complexity of cyber attacks, there are in essence only 5 ways our organisations can be targeted by threat actors, namely through our Networks, Applications, Physical premises, People, and our Suppliers.
As an industry, we dedicate a lot of time, effort, and resources to mitigating the first 4 risks, but we continue to neglect our suppliers. Yet, to effectively mitigate against cyber security breaches today also requires us to consider the networks, applications, physical premises, and people for most of our suppliers.
As the cyber security postures, especially of large global corporations as well as sensitive government bodies and operators of critical national infrastructures are getting stronger and more difficult to penetrate directly, threat actors are increasingly looking to identify the weakest links in their targets’ security postures, which are often to be found in smaller and less secure third parties or even 4th or 5th parties further down the supply chain. This is why smaller suppliers, who often lack the internal resource and expertise, and are easier to penetrate, often become the targets of choice for threat actors. Even the most prestigious organisations with stringent cyber security measures in place can be blindsided by incidents that originate somewhere in their supply chains.
Attacks on our corporate supply chains can affect our own organisations in several critical ways: They can impact our suppliers’ ability to continue to provide their essential services to us. They can result in an exfiltration and loss of our confidential proprietary and customer data. Or, depending on the service these suppliers provide to us, they can even be used by threat actors to stage onward attacks against our own IT systems.
The risk emanating from our supply chains has become further accentuated in recent years because of a significantly worsening global geopolitical environment, leading to an increase in sophisticated state-sponsored attacks and cyber warfare operations.
The risk of being targeted by hostile state actors and their army of hackers and advanced persistent threat actors (APT) is particularly pronounced for the UK. After the United States and the Ukraine, the UK is the third most targeted country in the world for cyber attacks, and UK operators of Critical National Infrastructure (CNI) in sectors such as transport, healthcare, energy, water and other utilities as well as financial services and public sector organisations are prominent targets of such attacks. This year alone, we have already seen supply chain attacks against the MoD, the NHS, and against our democratic institutions, all purportedly conducted by state-linked threat actors.
This proliferation of state-sponsored attacks has prompted the US Cybersecurity & Infrastructure Security Agency (CISA) to issue a joint advisory with the Federal Bureau of Investigation (FBI) warning that “PRC state-sponsored cyber actors are seeking to pre-position themselves on information technology (IT) networks for disruptive cyberattacks against the U.S. critical infrastructure in the event of a major crisis or conflict with the United States.” This was followed by a threat alert from the UK National Cyber Security Centre (NCSC), also highlighting the escalated threat emanating from cyber attacks by state-sponsored threat actors against UK Critical National Infrastructure.
This also indicates that attacks by state actors are no longer just limited to cyber espionage or data exfiltration campaigns, although they remain the most prominent. Increasingly, these kinds of attacks are aimed at more directly disrupting and harming our economies, or designed as stealth operations to infiltrate, and then lay dormant, in our critical national infrastructure or even national security institutions, just waiting to be triggered in the event of an escalating conflict.
Given the expanded threat surface, our increased exposure to the worsening geopolitical conflicts globally, and threat actors’ emphasis on targeting the weakest links in our security, the safety and resilience of our data and systems relies as much on our own defences as it does on the security of every organisation in your extended supply chain. We are only as strong as the weakest link in that vast chain of supply chain relationships.
But do we even know where the weakest links in our supply chains might be?
UK government research has found that on average only 30% of organisations actually review the security of their direct third-party suppliers, and this is for larger enterprises. Among smaller organisations and businesses, the number is just over 10%. Given our collective lack of awareness of risks in our immediate third-parties, the answer to the preceding question is probably, no.
But where it becomes really interesting, in fact almost scary, is that the weakest link might not be found in our direct third-party suppliers, but could equally be an organisation sitting in the even wider web of interrelated businesses connected to our suppliers and clients, i.e. in a 4th, 5th or nth party supplier.
When ClOP exploited the MOVEit Transfer vulnerabilities, for example, many of the thousands of high profile victims of the breach did not even use MOVEit Transfer themselves. They got impacted through suppliers like the British HR and payroll solutions software Zellis or the US based PBI Research Services, a research provider to many financial institutions, which in turn were using MOVEit Transfer to process their clients data. This means that organisations such as Boots, the BBC and other high profile victims of the attack were impacted by a breach in an organisation that, from their vantage point, constituted a fourth party, i.e. a supplier of a supplier.
As for assuring the security of these fourth-party suppliers, the same UK government research already cited earlier suggests that only 7% of organisations are actually attempting to assess risks beyond third-parties, not to mention supplier connections even further down the chain.
Our lack of knowledge of where risks reside in our vast extended supply chain ecosystem also impedes our ability to spot and mitigate dangerous concentration risks.
The MOVEit Transfer attack was but one example of a supply chain concentration risk, where a supplier that was breached affected numerous other organisations around it, significantly increasing the blast radius of the initial attack.
There is also the scenario of several critical third-parties of an organisation all relying on one fourth-party that is critical to their operations. Should this fourth party’s security be compromised, rendering it unable to continue to provide its services, this could impact the ability of the three direct third-parties to operate as normal, thus posing a significant business continuity risk to their shared client.
Another, and easily among the most dangerous types of concentration risks, as it could affect an entire industry or even economy, is when one supplier is absolutely critical to the operations of numerous organisations within the same industry or sector. If this one supplier were to fail because of an attack against it, or have its services significantly curtailed, this could bring an entire sector of an economy, or even a country, to a standstill.
Just think of what would happen if an essential services provider like the financial messaging service SWIFT, which serves over 11,000 organisations in over 200 countries, was to go offline. There simply would be no viable backup providers available to quickly step in and replace SWIFT’s vital function in the financial system. A successful attack against SWIFT that would take it offline could precipitate the next major financial crisis.
During the Solarwinds attack, for example, the New York Department of Financial Services (NY DFS) was concerned enough about the potential implications for financial stability to immediately require all of New York’s financial services firms to investigate and report any impact the attack might have on them, warning that the “next great financial crisis could come from a cyber attack”, like this one.
Meanwhile, regulators have recognised the growing risks associated with complex global supply chains and outsourcing arrangements, and are introducingnew regulations to tackle them.
The EU’s new Digital Operational Resilience Act (DORA) sets out technical standards that financial entities and their critical third-party technology providers must implement by 17 January 2025. The NIS Directive has been updated by NIS2, and is similarly zoning in on supply chain security to protect EU member states’ critical national infrastructure. In the UK, the new UK Government Cyber Security Strategy sets out the government’s approach to building a more cyber-resilient public sector, while the new Labour government also announced its plan to introduce a new Cyber Security and Resilience Bill, which in many ways is said to have similarities with NIS2 and represents the UK’s own update on the UK’s NIS Regulation of 2018.
In this article we argued that because businesses and supply chains have never been more interconnected, threat actors are taking advantage and are seeking out the weakest links in our extended supply chains to attack us. As a result, supply chain attacks are fast becoming the number one cyber security threat facing organisations today. So it is paramount that we identify ways to protect ourselves from this risking threat.
In the next article in our series, we will examine the current state of third-party risk management - the approach used by most organisations today when trying to ensure the security of their digital supply chains. We will look at its importance, but also point to the many challenges and shortcomings it faces, which makes it increasingly unable to cope with the evolving threat landscape we face.
So keep a lookout for the next article in the series on our website www.riskledger.com, or subscribe via the link below to get all articles in the series delivered straight to your inbox, as well as receive the final white paper at the end of this series that will include additional case studies from our work with our partners, setting out how we strive to create a future of Defend-as-One, where peers and their suppliers come together to collaboratively secure their supply chains and strengthen their combined security.
You can check out the second article of this series via the link below:
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
