Explainers & Guides

Why Hackers Target Our Corporate Supply Chains

Discover why hackers target corporate supply chains and learn how understanding their motivations can enhance your cyber security and third-party risk management strategies.

Why Hackers Target Our Corporate Supply ChainsWhy Hackers Target Our Corporate Supply Chains

As the cyber security postures, especially of large global corporations as well as of highly regulated entities such as operators of critical national infrastructures are getting stronger and more difficult to penetrate, threat actors are increasingly looking for the weakest links in their targets’ security postures. These are often to be found in smaller and less secure third-parties. This is why smaller suppliers, who often lack the internal resource and expertise, and are easier to penetrate, often become the target of such attacks, especially by state-sponsored hacking groups.

Given the verified threat of unauthorised access to files and opportunities for data exfiltration, any business or personal data held or processed by other organisations on our behalf may be at risk. 

But what are the different motivations that lead threat actors to engage in supply chain attacks. This article explores the most common, so that we can better understand our adversaries and plan accordingly.

What Motivates Threat Actors?

Threat actors want our money

First and most prominently of course, threat actors are often principally driven by financial motives. Whether cyber criminals, especially ransomware gangs, or state-sponsored threat actors, especially those affiliated with financially weaker rogue states such as North Korea and Iran, cyber attacks have become a thriving global economy in its own right. If it were measured as a country, cyber crime would be the world’s third-largest economy after the US and China.

Threat actors want our data

Often for the same reason, threat actors want our data. This is the principal way they can make money from a cyber attack. Attackers want our data either in order to sell them on the Dark Web or for corporate or government espionage purposes. So the motivation for data theft incidents through suppliers are either driven by financial incentives, or by the goal to obtain valuable intelligence such as proprietary data on advanced technologies and other innovations from competitors or rival states. Data from the European Union Agency for Cybersecurity (ENISA) shows that the majority of supply chain attacks are designed to steal data.  

Threat actors want to cause business disruption

Increasingly, however, many threat actors are no longer just motivated by financial gains, or even by the intent of obtaining information. Especially state-sponsored attacks, which have been increasing steadily since the outbreak of the war in Ukraine, are often aimed at causing business disruption or even at destroying the systems they penetrate. This is what the NotPetya attack, for example, demonstrated.

Threat actors want to damage or destroy physical infrastructure

Less prominent, but an equally alarming occurrence are the often very real physical effects of cyber attacks against infrastructure. The Refahiye pipeline explosion in Turkey in 2008, for example, that took the entire Baku-Tbilisi-Ceyhan pipeline out of commission for 20 days is believed to have been caused by a deliberate cyber attack. While Turkey subsequently denied that a cyber attack was to blame for the explosion, in an article that appeared on Bloomberg in December 2014, the authors Jordan Robertson and Michael Riley claimed that “hackers had shut down alarms, cut off communications and super-pressurized the crude oil in the line, according to four people familiar with the incident’”.

There was also the famous Stuxnet cyber attack against the Iranian nuclear programme, which resulted in the destruction of numerous Iranian nuclear centrifuges, and which has become known as Operation Olympic Games. The attack utilised a worm, a link file and a programmable logic controller rootkit, and targeted the industrial control systems of Siemens. 

Threat actors want to infiltrate our systems

Since there is the potential for an attacker to move from a compromised software onward into connected systems, they can also be motivated by penetrating the systems of specific organisations and bodies for a longer-term future plan. This is again particularly likely to be the case for threat actors affiliated with nation states. 

In the context of the SolarWinds attack, for example, which affected up to 18,000 clients of the company, including many federal government agencies in the US, it was discovered that Russian attackers had breached and then lay dormant in government systems for weeks, if not months. They upgraded user privileges and created new ones in the systems they had breached and were able to monitor internal emails by government agencies as well as extract sensitive information from their targets. This onslaught against US Government departments reportedly affected, among others, the US Treasury and Commerce departments as well as the Department of Homeland Security and the Pentagon.

Conclusion: How this information helps cyber security professionals

Understanding the motivations of threat actors provides cyber security and TPRM professionals with crucial insights that can significantly enhance their risk management strategies. Here’s how this knowledge is beneficial and actionable:

  1. Tailored Defence Strategies: By knowing why threat actors target specific parts of the supply chain, cyber security professionals can tailor their defence strategies accordingly. For instance, if the primary motivation is financial gain, heightened security measures can be implemented around sensitive financial data and transactions.
  2. Prioritising Resources: Understanding the motives helps in prioritising security resources and efforts. If data theft is a significant threat, then more resources can be allocated to data encryption, secure storage, and stringent access controls.
  3. Incident Response Planning: Knowledge of potential motives aids in crafting more effective incident response plans. For example, if business disruption is a primary goal, rapid recovery and continuity plans can be emphasised.
  4. Enhanced Threat Intelligence: Recognising the varied motivations enhances threat intelligence capabilities. Professionals can better anticipate the types of attacks and methodologies likely to be employed, leading to improved threat detection and prevention mechanisms.
  5. Supplier Risk Assessments: Insights into threat actor motivations highlight the importance of thorough supplier risk assessments. TPRM teams can identify which suppliers are more likely to be targeted, and to what end, and ensure they have strong security controls in place specifically related to their particular risk areas.
  6. Improved Collaboration and Communication: Understanding the motives behind attacks fosters better communication and collaboration with third-party suppliers. It emphasises the need for shared security practices and transparent communication about potential threats and mitigation measures.

Ultimately, this knowledge enables a more proactive security posture. By anticipating threat actor behaviors and intentions, cybersecurity professionals can stay a step ahead, implementing measures that preemptively address potential vulnerabilities.

By leveraging the understanding of threat actor motivations, cyber security and third-party risk management professionals can craft more resilient and adaptive security frameworks, ultimately safeguarding their organisations against an increasingly complex threat landscape.

Explainers & Guides

Download for free

By submitting this form, you agree to Risk Ledger’s Terms of Service, Privacy Policy, and Risk Ledger contacting you.

Thank you!
Download
Oops! Something went wrong while submitting the form.
Explainers & Guides

Download for free

Download
Pattern Trapezoid Mesh

Join our growing community

Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.