Supply chain attack
A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less-secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry or government sector.[1] Cybercriminals typically tamper with the manufacturing process of a product by installing a rootkit or hardware-based spying components.[2] In an Internet Security Threat Report, powered by Symantec, it is stated that supply chain attacks still continue to be a feature of the threat landscape, with an increase by 78 percent in 2018.
The Target security breach, Eastern European ATM malware, as well as the Stuxnet computer worm are examples of supply chain attacks.
Supply chain management experts recommend strict control of an institution's supply network in order to prevent potential damage from cybercriminals.[3]
Overview
A supply chain is a system of activities involved in handling, distributing, manufacturing and processing goods in order to move resources from a vendor into the hands of the final consumer. A supply chain is a complex network of interconnected players governed by supply and demand.[4]
Although supply chain attack is a broad term without a universally agreed upon definition,[5][6] in reference to cyber-security, a supply chain attack involves physically tampering with electronics (computers, ATMs, power systems, factory data networks) in order to install undetectable malware for the purpose of bringing harm to a player further down the supply chain network.[1][2][7]
In a more general sense a supply chain attack may not necessarily involve electronics. In 2010 when burglars gained access to the pharmaceutical giant Eli Lilly's supply warehouse, by drilling a hole in the roof and loading $80 million worth of prescription drugs into a truck, they could also have been said to carry out a supply chain attack.[8][9] However, this article will discuss cyber attacks on physical supply networks that rely on technology; hence, a supply chain attack is a method used by cyber-criminals.[10]
Attack framework
Generally, supply chain attacks on information systems begin with an advanced persistent threat that determines a member of the supply network with the weakest cyber security in order to affect the target organization.[10] According to an investigation produced by Verizon Enterprise, 92% of the cyber security incidents analyzed in their survey occurred among small firms.[11]
APT's can often gain access to sensitive information by physically tampering with the production of the product.[12] In October 2008, European law-enforcement officials "uncovered a highly sophisticated credit-card fraud ring" that stole customer's account details by using untraceable devices inserted into credit-card readers made in China to gain access to account information and make repeated bank withdrawals and Internet purchases, amounting to an estimated $100 million in losses.[13]
Risks
The threat of a supply chain attack poses a significant risk to modern day organizations and attacks are not solely limited to the information technology sector; supply chain attacks affect the oil industry, large retailers, the pharmaceutical sector and virtually any industry with a complex supply network.[1][7]
The Information Security Forum explains that the risk derived from supply chain attacks is due to information sharing with suppliers, it states that "sharing information with suppliers is essential for the supply chain to function, yet it also creates risk... information compromised in the supply chain can be just as damaging as that compromised from within the organization".[14]
While Muhammad Ali Nasir of the National University of Emerging Sciences, associates the above-mentioned risk with the wider trend of globalization stating "…due to globalization, decentralization and outsourcing of supply chains, numbers of exposure points have also increased because of the greater number of entities involved and that too are scattered all around the globe… [a] cyber-attack on [a] supply chain is the most destructive way to damage many linked entities at once due to its ripple effect."[15]
Poorly managed supply chain management systems can become significant hazards for cyber attacks, which can lead to a loss of sensitive customer information, disruption of the manufacturing process, and could damage a company's reputation.[16]
Examples
Compiler attacks
Wired reported a connecting thread in recent software supply chain attacks, as of 05.03.19.[17]
These have surmised to have spread from infected, pirated, popular compilers posted on pirate websites. That is, corrupted versions Apple's XCode and Microsoft Visual Studio.[18]
(In theory, alternating compilers [19] might detect compiler attacks, when the compiler is the trust root.)
Target
At the end of 2013, Target, a US retailer, was hit by one of the largest data breaches in the history of the retail industry.[20]
Between 27 November and 15 December 2013, Target's American brick-and-mortars stores experienced a data hack. Around 40 million customers credit and debit cards became susceptible to fraud after malware was introduced into the POS system in over 1,800 stores.[20] The data breach of Target's customer information saw a direct impact on the company's profit, which fell 46 percent in the fourth quarter of 2013.[21]
Six months prior the company began installing a $1.6 million cyber security system. Target had a team of security specialists to monitor its computers constantly. Nonetheless, the supply chain attack circumvented these security measures.[22]
It is believed that cyber criminals infiltrated a third party supplier to gain access to Target's main data network.[23] Although not officially confirmed,[24] investigation officials suspect that the hackers first broke into Target's network on 15 November 2013 using passcode credentials stolen from Fazio Mechanical Services, a Pennsylvania-based provider of HVAC systems.[25]
90 lawsuits have been filed against Target by customers for carelessness and compensatory damages. Target spent around $61 million responding to the breach, according to its fourth-quarter report to investors.[26]
Stuxnet
Believed to be an American-Israeli cyber weapon, Stuxnet is a malicious computer worm.[27] The worm specifically targets systems that automate electromechanical processes used to control machinery on factory assembly lines or equipment for separating nuclear material.
The computer worm is said to have been specifically developed in order to damage potential uranium enrichment programs by the Government of Iran; Kevin Hogan, Senior Director of Security Response at Symantec, reported that the majority of infected systems by the Stuxnet worm were in located in the Islamic Republic of Iran,[28] which has led to speculation that it may have been deliberately targeting "high-value infrastructure" in the country[29] including either the Bushehr Nuclear Power Plant or the Natanz nuclear power plant.[30]
Stuxnet is typically introduced into the supply network via an infected USB flash drive with persons with physical access to the system. The worm then travels across the cyber network, scanning software on computers controlling a programmable logic controller (PLC). Stuxnet introduces the infected rootkit onto the PLC modifying the codes and giving unexpected commands to the PLC while returning a loop of normal operation value feedback to the users.[31]
ATM malware
In recent years malware known as Suceful, Plotus, Tyupkin and GreenDispense have affected automated teller machines globally, especially in Russia and the Ukraine.[32] GreenDispenser specifically gives attackers the ability to walk up to an infected ATM system and remove its cash vault. When installed, GreenDispenser may display an ‘out of service’ message on the ATM, but attackers with the right access credentials can drain the ATM's cash vault and remove the malware from the system using an untraceable delete process.[33]
The other types of malware usually behave in a similar fashion, capturing magnetic stripe data from the machine's memory storage and instructing the machines to withdraw cash. The attacks require a person with insider access, such as an ATM technician or anyone else with a key to the machine, to place the malware on the ATM.[34]
The Tyupkin malware active in March 2014 on more than 50 ATMs at banking institutions in Eastern Europe, is believed to have also spread at the time to the U.S., India and China. The malware affects ATMs from major manufacturers running Microsoft Windows 32-bit operating systems. The malware displays information on how much money is available in every machine and allows an attacker to withdraw 40 notes from the selected cassette of each ATM.[35]
NotPetya / M.E.Doc
During the spring of 2017 the core code of the financial package "M.E.Doc" used in the Ukraine was infected with the NotPetya virus and subsequently download by subscribers. The hack was carried out on the provider's system: either hacking the code itself at the provider, or a hack re-routing download requests to another server. Press reports at the time make it clear this was a supply chain attack, but the attack vector used is not specified.[36]
British Airways
During August & September 2018 the British Airways website payment section contained code that harvested customer payment data. The injected code was written specifically to route credit card information to a website in a domain baways.com, which could erroneously be thought to belong to British Airways.[37]
SolarWinds
The 2020 Global Supply Chain Cyberattack is believed to have resulted through a supply chain attack targeting the IT infrastructure company SolarWinds, which counts many federal institutions among its clients,[38][39] including the business computers of the National Nuclear Security Administration (NNSA).[40] The Department of Homeland Security has issued Emergency Directive 21-01, "Mitigate SolarWinds Orion Code Compromise" which involves disconnecting any afflicted Windows host OS from its enterprise domain, and rebuilding those Windows hosts using trusted sources.[41] The afflicted Windows operating system (OS) hosts were those monitored by the SolarWinds Orion monitoring software.[41] DOE's NNSA has since disconnected the breached Windows hosts.[42]
In addition to the U.S. federal government, 18,000 out of SolarWinds' 33,000 customers who use the SolarWinds Orion software update platform are vulnerable. Orion was compromised in March and June 2020, before the cyber breach was detected by FireEye in December 2020. For example, Microsoft was itself a victim of the update software breach.[43][44] Microsoft is now working with FireEye to contain the ongoing cyber attack contained in supply chain software used by "government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East" —FireEye.[43]
Volexity, a cybersecurity firm, has reconstructed the attack sequence on an unnamed US think tank: first, the attacker exploited a remote code execution vulnerability in an on-premise Microsoft Exchange server;[45] after that vulnerability was remedied, the attacker exploited security holes in the SolarWinds Orion platform, which were exposed in December 2020; third, the think tank's Duo two-factor authentication proxy server was exploited to gain access to breach the infrastructure of the think tank yet again.[45][46]
Prevention
Government
The Comprehensive National Cybersecurity Initiative and the Cyberspace Policy Review passed by the Bush and Obama administrations respectively, direct U.S. federal funding for development of multi-pronged approaches for global supply chain risk management.[47][48] According to Adrian Davis of the Technology Innovation Management Review, securing organizations from supply chain attacks begins with building cyber-resilient systems.[49] Supply chain resilience is, according to supply chain risk management expert Donal Walters, "the ability of the supply chain to cope with unexpected disturbances" and one of its characteristics is a company-wide recognition of where the supply chain is most susceptible to infiltration. Supply chain management plays a crucial role in creating effective supply chain resilience.[50]
In March 2015, under the Conservative and Liberal democratic government coalition, the UK Department for Business outlined new efforts to protect SMEs from cyber attacks, which included measures to improve supply chain resilience.[51]
The UK government has produced the Cyber Essentials Scheme, which trains firms for good practices to protect their supply chain and overall cyber security.[52]
Financial institutions
The Depository Trust and Clearing Group, an American post-trade company, in its operations has implemented governance for vulnerability management throughout its supply chain and looks at IT security along the entire development lifecycle; this includes where software was coded and hardware manufactured.[53]
In a 2014 PwC report, titled "Threat Smart: Building a Cyber Resilient Financial Institution", the financial services firm recommends the following approach to mitigating a cyber attack:
"To avoid potential damage to a financial institution’s bottom line, reputation, brand, and intellectual property, the executive team needs to take ownership of cyber risk. Specifically, they should collaborate up front to understand how the institution will defend against and respond to cyber risks, and what it will take to make their organization cyber resilient.[54]
Cyber security firms
FireEye, a US network security company that provides automated threat forensics and dynamic malware protection against advanced cyber threats, such as advanced persistent threats and spear phishing,[55] recommends firms to have certain principles in place to create resilience in their supply chain, which include having:
- A small supplier base: This allows a firm to have tighter control over its suppliers.
- Stringent vendor controls: Imposing stringent controls on suppliers in order to abide by lists of approved protocol. Also conducting occasional site audits at supplier locations and having personnel visiting the sites on a regular basis for business purposes allows greater control.
- Security built into design: Security features, such as check digits, should be designed into the software to detect any previous unauthorized access to the code. An iterative testing process to get the code functionally hardened and security-hardened is a good approach.[56]
On 27 April 2015, Sergey Lozhkin, a Senior Security Researcher with GReAT at Kaspersky Lab, spoke about the importance of managing risk from targeted attacks and cyber-espionage campaigns, during a conference on cyber security he stated:
"Mitigation strategies for advanced threats should include security policies and education, network security, comprehensive system administration and specialized security solutions, like... software patching features, application control, whitelisting and a default deny mode."[57]
References
- "Next Generation Cyber Attacks Target Oil And Gas SCADA | Pipeline & Gas Journal". www.pipelineandgasjournal.com. Retrieved 27 October 2015.
- "New malware hits ATM and electronic ticketing machines". SC Magazine UK. Retrieved 29 October 2015.
- Urciuoli, L., Männistö, T., Hintsa, J., & Khan, T. (2013). SUPPLY CHAIN CYBER SECURITY - POTENTIAL THREATS. Information & Security, 29(1), 51-68. Retrieved 2015-10-29
- "Supply Chain Definition | Investopedia". Investopedia. Retrieved 4 November 2015.
- Supply chain, cyber security and geo-political issues pose greatest risks, as risk goes up in importance and profile say risk managers at sword active risk conference. (28 July 2015). M2 Presswire Retrieved on 2015-11-4
- Napolitano, J. (6 January 2011). How to secure the global supply chain. Wall Street Journal Retrieved on 2015-11-4
- Kuchler, Hannah (28 May 2014). "Cyber attackers 'target healthcare and pharma companies'". Financial Times. ISSN 0307-1766. Retrieved 27 October 2015.
- "Drug theft goes big". Fortune. Retrieved 4 November 2015.
- "Solving the Eli Lilly Drug Theft". www.securitymagazine.com. Retrieved 4 November 2015.
- CERT-UK (2015). "Cyber-security risks in the supply chain" (PDF). Archived from the original (PDF) on 18 February 2015. Retrieved 27 October 2015.
- "2014 Data Breach Investigations Report" (PDF). Verizon Enterprise. 2014. Retrieved 27 October 2015.
- Modine, Austin (10 October 2008). "Organized crime tampers with European card swipe devices". The Register. Retrieved 27 October 2015.
- Gorman, Siobhan. "Fraud Ring Funnels Data From Cards to Pakistan". Wall Street Journal. ISSN 0099-9660. Retrieved 27 October 2015.
- "Security Form" (PDF).
- Nasir, Muhammad Ali (June 2015). "Potential cyber-attacks against global oil supply chain". 2015 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA). Cyber Situational Awareness, Data Analytics and Assessment (CyberSA). pp. 1–7. CiteSeerX 10.1.1.695.1707. doi:10.1109/CyberSA.2015.7166137. ISBN 978-0-9932-3380-7. S2CID 18999955.
- Urciuoli, Luca (April 2015). "Cyber-Resilience: A Strategic Approach for Supply Chain Management". Talent First Network. ProQuest 1676101578.
- Greenberg, Andy (3 May 2019). "A Mysterious Hacker Group Is On a Supply Chain Hijacking Spree". Wired. ISSN 1059-1028. Retrieved 16 July 2019.
- Cox, Joseph (18 September 2015). "Hack Brief: Malware Sneaks Into the Chinese iOS App Store". Wired. ISSN 1059-1028. Retrieved 16 July 2019.
- "Fully Countering Trusting Trust through Diverse Double-Compiling". dwheeler.com. Retrieved 16 July 2019.
- "Target data breach: Why UK business needs to pay attention". ComputerWeekly. Retrieved 27 October 2015.
- Harris, Elizabeth A. (26 February 2014). "Data Breach Hurts Profit at Target". The New York Times. ISSN 0362-4331. Retrieved 27 October 2015.
- "Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It". BloombergView. Retrieved 30 October 2015.
- Kuchler, Hannah (20 October 2014). "Hackers find suppliers are an easy way to target companies". Financial Times. ISSN 0307-1766. Retrieved 27 October 2015.
- "Archived copy" (PDF). Archived from the original (PDF) on 6 November 2015. Retrieved 27 October 2015.CS1 maint: archived copy as title (link)
- "Target Hackers Broke in Via HVAC Company — Krebs on Security". krebsonsecurity.com. Retrieved 27 October 2015.
- "Target Offers $10 Million Settlement In Data Breach Lawsuit". NPR.org. Retrieved 30 October 2015.
- "Confirmed: US and Israel created Stuxnet, lost control of it". Ars Technica. Retrieved 27 October 2015.
- "Iran was prime target of SCADA worm". Computerworld. Retrieved 27 October 2015.
- reporter, Jonathan Fildes Technology; News, B. B. C. "Stuxnet worm 'targeted high-value Iranian assets'". BBC News. Retrieved 27 October 2015.
- Fildes, Jonathan (23 September 2010). "Stuxnet worm 'targeted high-value Iranian assets'". BBC News. Retrieved 23 September 2010.
- "A Declaration of Cyber-War". VANITY FAIR. April 2011.
- "Tyupkin Virus (Malware) | ATM Machine Security | Virus Definition". www.kaspersky.com. Retrieved 4 November 2015.
- "Meet GreenDispenser: A New Breed of ATM Malware | Proofpoint". www.proofpoint.com. Retrieved 30 October 2015.
- "New ATM Malware Captures PINs and Cash — Updated". WIRED. Retrieved 30 October 2015.
- "Tyupkin: manipulating ATM machines with malware - Securelist". securelist.com. Retrieved 19 May 2020.
- "Family firm in Ukraine says it was not responsible for cyber attack". reuters.com. Retrieved 1 June 2019.
- "Customer data theft". britishairways.com. Retrieved 1 June 2019.
- Christina Zhao (14 December 2020). "Solar Winds, Probably Hacked by Russia, Serves White House, Pentagon, NASA". Newsweek. Retrieved 14 December 2020.
- Sanger, David E.; Perlroth, Nicole; Schmitt, Eric (15 December 2020). "Scope of Russian Hack Becomes Clear: Multiple U.S. Agencies Were Hit" – via NYTimes.com.
- Johnson, Kevin; Snider, Mike (18 December 2020). "Russian cyber attack against US: Worst may be yet to come, experts fear, as Trump remains mum". USA Today.
- Department of Homeland Security (13 Dec 2020) Emergency Directive 21-01, "Mitigate SolarWinds Orion Code Compromise"
- Rob Lever (18 Dec 2020) Massive cyberattack grows beyond US, heightening fears
- Alex Marquardt, Brian Fung and Zachary Cohen, CNN (December 17, 2020) Microsoft identifies more than 40 organizations targeted in massive cyber breach
- T.C. Sottek (Dec 31, 2020) Microsoft says hackers were able to see some of its source code
- Ionut Ilascu (December 17, 2020) Nation-state hackers breached US think tank thrice in a row
- Michael Trantas (Dec 2016) Vulnerability in Duo’s Authentication Proxy Server Software
- "Cyberspace Policy Review" (PDF). Whitehouse.gov. Retrieved 29 October 2015.
- "The Comprehensive National Cybersecurity Initiative". The White House. Retrieved 29 October 2015.
- Davis, A. (2015). Building cyber-resilience into supply chains. Technology Innovation Management Review, 5(4), 19-27. Retrieved on 29-10-2015
- Waters, D. 2011. Supply Chain Risk Management (2nd ed.). London: Kogan Page. Accessed 29-10-2015
- "Cyber security insurance: new steps to make UK world centre - Press releases - GOV.UK". www.gov.uk. Retrieved 30 October 2015.
- "Cyber Essentials - OFFICIAL SITE". www.cyberstreetwise.com. Retrieved 30 October 2015.
- Hoover, J. N. (2009). Secure the cyber supply chain. InformationWeek, (1247), 45-46,48,50,52. Retrieved from 2015-10-29
- "Threat smart: Building a cyber resilient financial institution" (PDF). FS Viewpoint. PwC. October 2014. Retrieved 4 June 2020.
- "Advanced Cyber Security - Stop Cyber Attacks | FireEye". FireEye. Retrieved 30 October 2015.
- "BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT" (PDF). Retrieved 30 October 2015.
- "Kaspersky Lab and EY Warn Organizations to Get Prepared for Cyberthreats | Kaspersky Lab". www.kaspersky.com. Retrieved 30 October 2015.