Explainers & Guides
Third-Party Data Breaches
As the cyber security postures, especially of large global corporations as well as of highly regulated entities such as operators of critical national infrastructures are getting stronger and more difficult to penetrate, threat actors are increasingly looking for the weakest links in their targets’ security postures. These are often to be found in smaller and less secure third-parties. This is why smaller suppliers, who often lack the internal resource and expertise, and are easier to penetrate, often become the target of such attacks, especially by state-sponsored hacking groups.
Given the verified threat of unauthorised access to files and opportunities for data exfiltration, any business or personal data held or processed by other organisations on our behalf may be at risk.
But what are the different motivations that lead threat actors to engage in supply chain attacks. This article explores the most common, so that we can better understand our adversaries and plan accordingly.
First and most prominently of course, threat actors are often principally driven by financial motives. Whether cyber criminals, especially ransomware gangs, or state-sponsored threat actors, especially those affiliated with financially weaker rogue states such as North Korea and Iran, cyber attacks have become a thriving global economy in its own right. If it were measured as a country, cyber crime would be the world’s third-largest economy after the US and China.
Often for the same reason, threat actors want our data. This is the principal way they can make money from a cyber attack. Attackers want our data either in order to sell them on the Dark Web or for corporate or government espionage purposes. So the motivation for data theft incidents through suppliers are either driven by financial incentives, or by the goal to obtain valuable intelligence such as proprietary data on advanced technologies and other innovations from competitors or rival states. Data from the European Union Agency for Cybersecurity (ENISA) shows that the majority of supply chain attacks are designed to steal data.
Increasingly, however, many threat actors are no longer just motivated by financial gains, or even by the intent of obtaining information. Especially state-sponsored attacks, which have been increasing steadily since the outbreak of the war in Ukraine, are often aimed at causing business disruption or even at destroying the systems they penetrate. This is what the NotPetya attack, for example, demonstrated.
Less prominent, but an equally alarming occurrence are the often very real physical effects of cyber attacks against infrastructure. The Refahiye pipeline explosion in Turkey in 2008, for example, that took the entire Baku-Tbilisi-Ceyhan pipeline out of commission for 20 days is believed to have been caused by a deliberate cyber attack. While Turkey subsequently denied that a cyber attack was to blame for the explosion, in an article that appeared on Bloomberg in December 2014, the authors Jordan Robertson and Michael Riley claimed that “hackers had shut down alarms, cut off communications and super-pressurized the crude oil in the line, according to four people familiar with the incident’”.
There was also the famous Stuxnet cyber attack against the Iranian nuclear programme, which resulted in the destruction of numerous Iranian nuclear centrifuges, and which has become known as Operation Olympic Games. The attack utilised a worm, a link file and a programmable logic controller rootkit, and targeted the industrial control systems of Siemens.
Since there is the potential for an attacker to move from a compromised software onward into connected systems, they can also be motivated by penetrating the systems of specific organisations and bodies for a longer-term future plan. This is again particularly likely to be the case for threat actors affiliated with nation states.
In the context of the SolarWinds attack, for example, which affected up to 18,000 clients of the company, including many federal government agencies in the US, it was discovered that Russian attackers had breached and then lay dormant in government systems for weeks, if not months. They upgraded user privileges and created new ones in the systems they had breached and were able to monitor internal emails by government agencies as well as extract sensitive information from their targets. This onslaught against US Government departments reportedly affected, among others, the US Treasury and Commerce departments as well as the Department of Homeland Security and the Pentagon.
Understanding the motivations of threat actors provides cyber security and TPRM professionals with crucial insights that can significantly enhance their risk management strategies. Here’s how this knowledge is beneficial and actionable:
Ultimately, this knowledge enables a more proactive security posture. By anticipating threat actor behaviors and intentions, cybersecurity professionals can stay a step ahead, implementing measures that preemptively address potential vulnerabilities.
By leveraging the understanding of threat actor motivations, cyber security and third-party risk management professionals can craft more resilient and adaptive security frameworks, ultimately safeguarding their organisations against an increasingly complex threat landscape.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
