Third Party Risk Management : Everything you need to know about attacks targeting third parties (supply chain)
Supply chain attacks, third-party attacks, value chain attacks, backdoor breaches… All these expressions refer to attacks targeting the supply chain. Indeed, rather than attacking their final target’s information system directly, some attackers seek to compromise intermediate elements of the value chain: often smaller players, sometimes less equipped in terms of cybersecurity, to gain access to their main target’s information system.
The notion of “supply chain ’ is of crucial importance here, as it refers to the complex interconnection of partner and third-party organisations that participate via commercial links in the activity of a main organisation. Subcontractors, subsidiaries, suppliers… This covers a wide range of players involved in a company’s operational process. Each link in this chain potentially represents a vulnerability that cybercriminals can exploit to achieve their objective.
The growing importance of the supply chain in the operation of modern businesses has meant that cyber-attackers are paying particular attention to these targets. Companies are working more and more closely with external partners to optimise their operations, reduce costs and improve efficiency. However, this increased collaboration comes with a high risk, as each partner can become a potential gateway for cyber attacks.
To deal with these threats, quantifying cyber risk is becoming an essential step in managing supply chain cyber security. Quantifying cyber risk means systematically assessing the vulnerabilities and threats to each component of the supply chain. This assessment makes it possible to measure the potential impact of cyber attacks and to prioritise security efforts according to the levels of risk identified.
In addition, cyber attacks are becoming increasingly sophisticated, with attackers using advanced techniques to conceal their activities, making detection more difficult and increasing response times. As a result, businesses must not only protect their own systems, but also ensure that their partners and suppliers apply rigorous security measures. By quantifying the risk, key performance indicators (KPIs) and appropriate control measures can be put in place to constantly monitor the state of cyber security within the supply chain.
This article takes a look at attacks targeting the supply chain, to provide you with the information you need to make informed choices about your cyber security. We’ll explore the most common types of attack, the possible consequences for businesses and best practices for strengthening the security of your supply chain. By understanding the risks and implementing effective management strategies, including accurate risk quantification, you can better protect your organisation against the growing threats in today’s cyber landscape.
Focus on some of the most significant cyber attacks
In order to better understand the concept of attacks targeting the supply chain, this section looks at some of the most significant attacks.
2013: The Target Data Breach
In 2013, Target, one of the largest retailers in the US, was the victim of a major cyber attack that took place during the busy festive season. Between 27 November and 15 December, attackers used credentials stolen from a subcontractor, Fazio Mechanical Services, to deploy malware on Target’s payment management system. This flaw enabled the theft of the banking information and personal data of more than 110 million customers (equivalent to a third of the US population), with a total of 11 GB of data transferred from a server in the United States to another in Russia.
This incident marked a turning point in the way companies perceive and manage cyber security. The Target cyber attack highlighted the importance of an integrated approach to cyber security, taking into account vulnerabilities within the supply chain and complex interactions with business partners. The attack also highlighted the need to quantify cyber risk and prepare for evolving threats in an increasingly interconnected environment.
2020: The Lasting Impact of the SolarWinds Attack on Supply Chain Security
In December 2020, global cyber security was profoundly impacted by the sophisticated attack on SolarWinds, a US company specialising in network and IT systems management. Attackers infiltrated SolarWinds’ software development process, deploying malware known as “SUNBURST” in updates to the Orion software used by thousands of organisations around the world. The flaw allowed cybercriminals to create backdoors into victims’ networks, affecting around 18,000 customers, including US government agencies such as the Treasury Department and major corporations. The attack demonstrated the vulnerability of software supply chains and the ability of attackers to remain undetected for several months, exacerbating the damage.
The incident highlighted major shortcomings in organisations’ cyber defences and led to a re-evaluation of cyber security strategies, particularly with regard to third-party suppliers. Experts have suspected state involvement, particularly from Russia, although this attribution is still debated. In response, SolarWinds and its customers have undertaken significant efforts to strengthen system security, including more rigorous security audits and better cooperation between the private sector and government agencies to share information on threats.
2021 :The Kaseya Incident and the Vulnerability of Third-Party Suppliers
In July 2021, the REvil cybercrime group carried out a ransomware attack against Kaseya, a company specialising in IT management solutions. By exploiting a critical vulnerability in Kaseya’s VSA software, which is used by IT service providers to manage their customers’ systems, the attackers were able to deploy the REvil ransomware across the company’s network. The software was introduced via a compromised update, enabling cybercriminals to encrypt data and disrupt the operations of almost 1,500 businesses worldwide, across a range of sectors including finance, healthcare and the public sector.
The attack revealed systemic vulnerabilities in IT service providers‘ cybersecurity management and highlighted the risks associated with companies’ reliance on third-party software. The incident highlighted how a flaw in management software can have a cascading effect on many organisations, causing service outages, data loss and recovery costs. In response, the industry has strengthened its cyber security practices by increasing supplier security audits, tightening access controls, and investing in more robust intrusion detection solutions to better secure IT supply chains.
Which cyber attacks are most likely to target the supply chain?
There is no single cyber attack model for targeting the value chain, especially as attackers compete in imagination to compromise their targets. These attacks are not unique to the supply chain and can be found in other contexts. In this section, we look at the main threats likely to affect the supply chain.
1. Malware Attacks
Malware attacks are one of the most common and destructive threats to the supply chain. Cybercriminals use malware to infiltrate the IT systems of suppliers or business partners. Once inside, they can exfiltrate sensitive data, disrupt operations or create backdoors for future attacks. For example, ransomware, a specific category of malware, encrypts critical data and demands a ransom for its decryption, seriously disrupting business operations. Companies need to be particularly vigilant in detecting and preventing malware to secure their supply chain.
2. Phishing attacks and social engineering
Phishing and social engineering attacks exploit the trust and naivety of employees of partner companies in the supply chain. Cybercriminals send fraudulent emails or messages designed to trick recipients into divulging sensitive information, such as login credentials, or downloading malicious files. These attacks can allow attackers to take control of user accounts, gain access to internal networks or launch other types of more sophisticated attacks. By targeting the employees of less protected partners, attackers can easily gain access to the system of the final target.
3. Compromised Software Updates
Software update compromise is a sophisticated method of attack in which cybercriminals infiltrate the development or distribution processes of vendor software updates. These attacks allow attackers to introduce malware directly into the systems of customer companies during the update process. The SolarWinds attack is a striking example of this tactic, where a compromised update allowed attackers to infiltrate the networks of multiple large organisations. This type of attack is particularly dangerous because it exploits the trust placed in software vendors and can remain undetected for long periods of time.
4. Exploitation of supplier vulnerabilities
Cybercriminals often exploit known or unknown (zero-day) vulnerabilities in the systems, applications or infrastructures of supply chain suppliers. These vulnerabilities can be flaws in software code, incorrect configurations or gaps in security measures. By targeting these vulnerabilities, attackers can gain access to suppliers’ networks and, by extension, the networks of their business partners. Once inside, they can steal sensitive information, install malware or disrupt operations. Proactive vulnerability management and regular patching are essential to reduce this type of risk.
Cybersecurity must be a collective concern
To effectively manage their cyber risk, companies must take into account the vulnerabilities of third parties. The growing interconnection of systems makes cyber security a collective responsibility. It is therefore essential to develop a cybersecurity strategy that includes third parties to better control the surface area of exposure to cyber risk. Here are some ideas for integrating this approach into your organisation.
Many companies are already doing this, but it is important to remember thatit is crucial to include cybersecurity clauses in contracts negotiated with suppliers and subcontractors. These clauses can include the obligation for partners to undergo security audits in order to identify and correct their vulnerabilities. This ensures that access granted to third parties does not compromise the security of your own information system. However, it is important to note that some partners may be reluctant to provide sensitive information or unable to comply with the security requirements, which could complicate the implementation of this strategy.
Secondly, cyber security requires financial resources that not all companies, particularly SMEs, can always afford. To control cyber risk, it makes sense to help the companies you work with to improve their defensive maturity. This can be done by temporarily providing cybersecurity tools and training, or by carrying out security audits. This approach is particularly relevant for subsidiaries, where the intensity of the links with the parent company requires a high level of cybersecurity to protect the entire network.
The choice of a cyber risk quantification solution is essential for effective supplier risk management. By using a risk quantification platform, such as the one offered by Citalid, companies can obtain reliable indicators to estimate their exposure to cyber risk, taking into account the global ecosystem in which they operate. These solutions can process a variety of data to provide an accurate view of risks, facilitating informed decisions in terms of cyber security. By taking into account both internal and external factors, businesses can better anticipate and manage potential threats, strengthening their resilience in the face of cyber attacks.
Finally, although companies are still struggling to fully integrate their interconnections into their cybersecurity strategy, developments are to be expected thanks to legislative advances in the European Union. The DORA regulation and the NIS 2 directive, for example, impose specific security measures for third parties linked to organisations in certain critical sectors. This legislation reinforces the importance of cybersecurity in commercial relations and encourages companies to adopt risk quantification practices to comply with the new requirements and better protect their supply chains.
In short, choosing a cyber risk quantification solution is a strategic investment that enables companies to better understand and manage the complex risks in their supply chain, while preparing for the future challenges posed by rapidly evolving cyber threats.
Why not try out quantifying the cyber risk for your company? Join the next live demo session here to ask an expert all your questions and see the Citalid platform in action!
