Behind each headline of a supply chain attack are organizations and victims facing the consequences of a brutal infiltration.
Equipped with automated tools, hackers can hunt through cloud-native applications, public code repositories, unprotected networks and more, without even paying much attention to their computers.
The goal is to launch a supply chain attack — an ambush on vulnerabilities in the software development lifecycle that taints individual components and code libraries. A successful attack exposes the organization itself, third-party vendors and customers to data leaks, financial damage and reputational disasters.
Just as cybersecurity strategies constantly evolve, hackers shift their tactics, too. Malicious actors keep their eye on the prize, identifying specific targets for supply chains that harbor valuable data or act as the gateway to other vendors. The Q3 2023 Evolution of Software Supply Chain Security Report found a 47.4% increase in malicious packages targeting specific businesses. Strategies included:
- Source code threats. As with most cyber threats, human error is at the core. Bad coding practices, like poorly secured code assets, secrets published in public repositories, and vulnerabilities missed in code reviews, contribute to insecure development environments where hackers exploit opportunities to inject malicious code or leak data.
- Compromised dependencies. It would be impossible for the world of software development to operate without depending on third-party resources that save time and money for developers. But, as we witnessed during the Log4J crisis, a compromised public resource creates a ripple effect downstream.
- CI/CD (continuous integration/delivery) tool misconfigurations. Supply chain attacks on build tooling are challenging to identify, and unsecured codified configurations create attack vectors and leave gaps for hackers to enter.
The headlines speak volumes. Following are five of the most serious attacks of the last five years.
SolarWinds. The name of this network-management business has become almost synonymous with “supply chain attack.” In December, 2020, a hack resulted in a data breach affecting 18,000 customers, including government agencies. After an extensive investigation, the cause was revealed to be malicious code added to an update for SolarWinds’ Orion software. It happened so early in the chain that it went undetected in verification and validation checks.
CodeCov. This U.S.-based software company suffered an attack in 2020 after hackers exploited a mistake in a Docker image-creation process and obtained credentials. The hackers gained access to software development tools using this newfound key to the kingdom. They modified a script to send environment variables from CodeCov customers’ CI to a remote server. The attack exposed secrets and data of their clients.
Mimecast. The 2021 attack on this cloud cybersecurity company resulted in stolen secure sockets layer (SSL) and code-signing certifications. Hackers compromised a certification used by customers to connect with Microsoft 365 Exchange services. While the attack interrupted the communications of Microsoft customers, it also exposed wider dangers of compromised SSL certificates and stolen code-signing certificates. Such activity runs the risk of allowing malware to be passed off as authentic software, yet, thankfully, the incident didn’t reach this crescendo.
Okta. Following a string of incidents throughout 2022 and 2023, it suffered an attack at the end of the year within its support case management system. Chief security officer David Bradbury concluded that “a threat actor gained unauthorized access to files inside Okta's customer support system associated with 134 Okta customers, or less than 1% of Okta customers.” Okta is a tempting target that counts the US military as one of its 10,000 customers. Hackers could see it as the ultimate gateway to valuable data, raising fears that we could see SolarWinds 2.0 in the future.
MGM. The casino and hotel chain represents security professionals’ worst nightmare: an attack that creates a domino effect. A vishing scam (phishing via phone call) triggered a cybersecurity shutdown of ATMs, slot machines, and even TV services, leaving MGM staff turning to traditional pen and paper to continue serving guests. The incident left MGM’s many partner vendors wondering if they are in the firing line, too — the supply chain attack could rear its ugly head in the future, as hackers knock these dominos down.
There are as many ways to protect against a supply chain attack as there are to cause one:
- Test, test, test. Include static and dynamic application security testing (SAST and DAST) throughout development, both scheduled and unscheduled.
- Prepare for the worst. Create a detailed incident response plan and a team to manage it.
- Shut the gate. Implement identity and access management best practices to authenticate and authorize all users.
- Manage dependencies. Use software composition analysis (SCA) tools and automate continuous vulnerability monitoring for 24/7 protection.
- Trust no one. Identify and use only trusted sources after mapping all software components and dependencies.
The goal is to avoid having a single point of failure in your software development lifecycle (SDLC) that might enable unauthorized access or unwanted attention. Thankfully, with the comprehensive automation tools available on the market, developers can become increasingly more comfortable knowing that their supply chains are secure.
Dotan Nahum is head of developer-first security at Check Point Software Technologies.