Illustration: Aïda Amer/Axios
A pair of recent high-profile cyberattacks are putting a spotlight back on a hacking tactic that’s growing in popularity.
The big picture: A number of supply chain attacks have already impacted organizations this year — and despite the name, the attacks have nothing to do with better-known trade supply chains.
- Instead, in the cybersecurity world, a supply chain attack refers to a cyberattack on companies’ software vendors, or their software supply chain.
How it works: Supply chain attacks often start with hackers targeting a single entity — typically a software provider — in the hopes of accessing information from that organization’s customers.
- To do this, malicious hackers will often add malware to the infiltrated product’s software updates, build processes or source code to infect customers running the product on their own networks.
- One of the highest-profile recent supply chain attacks was the SolarWinds cyber espionage campaign, where Russian state-backed hackers snuck malware into a routine SolarWinds software update and infected nine federal agencies and at least 100 companies.
Driving the news: Recent headlines surrounding vulnerabilities in the MOVEit file-transfer program and Barracuda Networks’ email security hardware have brought the spotlight back to software supply chain attacks.
Zoom out: Software supply chain attacks have been gaining traction in recent years.
By the numbers: More than 10 million people and more than 1,700 organizations were affected by supply chain attacks in 2022, according to a report from the Identity Theft Resource Center.
Between the lines: Protecting against a software supply chain attack is tricky given that companies often have little visibility into their software vendors’ cybersecurity programs.
- When a supply chain attack happens, each affected organization also ends up being reliant on the targeted software provider for information about the threat and patches to protect its systems.
The intrigue: Visibility also isn’t as simple as knowing which vendors are on an organization’s networks. Companies can also be at risk if there are vulnerabilities in their vendors’ own software vendors.
- One example is the recent North Korea-linked 3CX supply chain attack, which researchers at Mandiant have said started as a cyberattack on another platform, X_Trader.
Yes, but: The Biden administration is pushing new initiatives to help bring greater visibility into organizations’ networks.
Sign up for Axios’ cybersecurity newsletter Codebook here