Cyber threats in the form of supply chain attacks are on the rise and becoming more sophisticated. These attacks specifically target the intricate network of relationships between organisations, their suppliers, vendors, and third-party service providers. The interconnected nature of digital supply chains, which often span across multiple organisations, systems, and geographies, creates vulnerabilities that attackers exploit.
Over the past six months, there has been a significant increase in cyber-attacks targeting supply chain vendors. Here are the major incidents that have occurred recently.
June 2023 – MOVEit Supply Chain Attack
In June 2023, a major supply chain attack occurred, targeting the MOVEit file-transfer program. MOVEit is designed to transfer sensitive files securely and is particularly popular in the US.
The consequences of the MOVEit attack were far-reaching. It not only compromised the security of the organisations directly involved but also had a ripple effect on their customers and partners. British Airways, the BBC, and Boots are among the companies whose data became compromised. Attackers gained unauthorised access to sensitive data, potentially exposing confidential information and trade secrets. This breach of trust not only resulted in financial losses but also damaged the reputation and credibility of the affected organisations.
The sophistication of these supply chain attacks is a cause for concern. Attackers are constantly evolving their techniques, making it increasingly difficult to detect and prevent such incidents. Traditional security measures are no longer sufficient to combat these threats. Organisations must adopt a proactive approach, implementing robust cybersecurity measures throughout their supply chains.
The MOVEit attack serves as a wake-up call, highlighting the need for enhanced cybersecurity measures and collaboration among stakeholders. By prioritising security, conducting regular assessments, and investing in advanced threat detection systems, organisations can better protect themselves and their supply chains from these evolving cyber threats.
March 2023 – 3CX Supply Chain Attack
The 3CX supply chain attack targeted Windows and macOS desktop apps, raising doubts regarding the reliability and safety of the software’s supply chain. The apps were compromised by the attackers using an infected library file. This file downloaded an encrypted file containing Command & Control information. The attackers were able to carry out harmful actions within the victim’s surroundings because of this.
It appears that the harmful versions of the apps had legitimate 3CX certificates, indicating that the company’s development process may have been breached. This led to the release of altered apps straight from 3CX’s download servers. This shows how software supply chains can be vulnerable, since even a small security breach can have significant implications for customers who depend on the software. The incident also illustrates how cyber attackers are becoming more advanced and persistent in targeting supply chains to gain entry into organisations and acquire confidential data.
February 2023 – Applied Materials Supply Chain Attack
In February, a recent cyber attack on the supply chain caused disruption and financial implications for semiconductor company Applied Materials.
The attack targeted a business partner whose identity has not been disclosed by Applied Materials. However, there are speculations that MKS Instruments, an industrial equipment supplier, may have been the entry point for the breach.
MKS Instruments had previously reported a ransomware attack on February 3, leading to the rescheduling of their fourth-quarter earnings call. Applied Materials referred to the targeted company as a significant supplier. As a result of the attack, MKS Instruments was still in the process of recovering, which had a direct impact on its Vacuum Solutions and Photonics Solutions divisions. This consequently caused delays in the processing and shipping of orders. The estimated financial cost for Applied Materials in the first quarter of 2023 was projected to be $250 million.
Supply Chain Attack Prevention Checklist
Take the next step in developing a robust risk management strategy with the help of Intrasource. Contact our cybersecurity team for more information.