Cyber Criminals Attack Through Supply Chains

Businesses have become increasingly sophisticated in their defences, but so too have the hackers. By targeting the supply chain, they are circumventing even the most sophisticated defences.

Picture this scene. It’s the closing stages of the Second World War and the Allies are plotting their final attack against Japan. A direct assault against the mainland would be extremely difficult so they employ a different tactic known as island hopping. Bit by bit the Allies capture strategically important islands around the mainland establishing bases and giving themselves a foothold for attack.

It was a great way to defeat a formidable enemy by exploiting its weakest links and today cyber criminals are doing pretty much the same thing by targeting supply chains. It’s effective, insidious and even the most security aware company may not see it coming.

A Looming Threat

Businesses increasingly rely on third party partnerships. At any one time, an organisation might be working with hundreds of different partners. It could be software providers, logistics organisations, or web services. It’s an exciting agile world in which businesses harness the power of partnerships to power growth at an increasingly rapid rate. However, it also creates a fantastic opportunity for cyber criminals.

A world of complex supply chains and business partnerships changes the nature of cyber security. While companies used to be able to regard themselves as fortresses surrounded by multi layered defence strategies, now they look more like a Metro system, a tangled web of interlined relationships with multiple entry points. Each of these represents a potential attack vector.
According to Symantec, supply chain attacks grew by 150% between 2016 and 2017. Today half of all cyber attacks come use the island-hopping approach. Carbon Black’s Global Incidence Threat Report found that exactly 50% of cyber attacks focus on supply chains and at least 70% attempt some form of lateral movement. In 31% of cases, attackers were gaining better and more prolonged access to targets’ environments allowing them to create even more destruction. Furthermore, the most common targets were sectors which were high value and normally highly secure such as finance, retail and manufacturing.

What’s more, the rise of state sponsored cyber attacks mean businesses must be on guard against highly sophisticated, well-funded, cyber organisations. A report from the US intelligent community highlighted the growing threat posed by IT supply chain hacks from states with Iran, China and Russia being the most active.

The most notorious of these is the so called NotPetra virus launched against the Ukraine with the infection of accountancy software. Hackers, believed to be from the Russian Government, infiltrated accountancy software based in the Ukraine. The virus quickly spread beyond Ukraine affecting some of the world’s largest companies such as the shipping giant Maersk and FedEx.
Supply chains can make even the most secure organisation vulnerable which is a real boom for the hackers. A direct attack against a major corporation might be impossible, but one against a small company it works with could easily go undetected. For example, a contractor might come to work in the company and access the system through an unsecured laptop. The contractor is likely to be much more vulnerable to attack than the company so, if criminals can get malware onto their system, they would carry it in right through the front door.

The threat is very real. It’s perfect for cyber criminals. They naturally seek out the weakest targets, but they also want to go where the money is. Unfortunately, these are normally organisations with some of the best defences around. The modern nature of business, which focuses on partnerships, undermines all that hard work. It’s like having an impressive fortress which is full of tiny, hard to see, holes.

For businesses, it is hard to defend against. These partnerships are crucial and it is difficult to monitor each entry point and build an effective defence strategy. The first step for everyone will be identifying where these attacks are coming from. Here are some of the most common approaches.

  1. Third Party Attacks

Since 2011 a cyber espionage group known as Dragonfly has been targeting energy companies across the US and Europe through their supply chains. One of their most successful attempts was Trojanising legitimate industrial control systems by infiltrating the websites of ICS suppliers and replacing files with malware. When the software was downloaded from the ICS website, the malware went to work.
This is typical of a third-party attack. It circumvents all the defences of the target company because they will not imagine there is any reason why the files might not be legitimate. The malware is extremely difficult to detect because it has been altered at source, which means attacks can be prolonged and immensely damaging.
Every time a company downloads software from a third party, they are placing a huge amount of trust in their security. It is simply not feasible to screen every piece of software or hardware to the depth required. If hackers can compromise software from a trusted supplier, they have a direct line of attack into some of the most secure companies in the world.

  1. Watering holes

In the wild predators gather around popular watering holes waiting for their prey to come and drink. Cyber criminals do pretty much the same thing. These so-called watering holes are websites where certain people in a sector will be known to gather. For example, if an attacker wanted to target a specific government department, they would identify a website which people in that sector visit and trust.
Once an attacker has identified a likely website, it injects malicious code which redirects targets to a separate site where the malware is hosted. This is a highly effective approach for gaining access to large organisations with sophisticated cyber defence operations because it accesses low security employees, business partners or unsecured wireless networks.

  1. Reverse email compromise

This is a relatively new development and is already becoming seen as the new bank heist because it is mostly targeted against financial companies. Hackers will attempt to infiltrate email servers to take control of email addresses.
It can be a long and drawn out process. Fraudsters will start by researching a company and identifying key personnel within the team such as executives and people in the finance team. They will attempt to take control of a trusted email address in order to convince targets to transfer funds. This could be someone within an organisation or another company with which you will be partnering. The attack will seem to come from an email address belonging to someone known and trusted, so when they ask for money to be transferred, the targets will be likely to make the transaction without suspecting anything untoward.

Gaps in Defences

Given all that, it is perhaps surprising that so few companies actively assess the security of the businesses they work with. A Navex Global Survey of around 300 ethics and compliance professionals found that 32% of respondents perform no evaluation of third parties before engaging with them. 11% don’t even know how many third parties they work with.

When it comes to specifically focusing on cyber security, the numbers are even worse. A survey by CrowdStrike found that 70% of organisations did not require the same level of security from their third parties as they implement internally. There seems to be an enormous amount of trust in the system which is not justified. Two thirds of respondents said they had been hit with a supply chain attack over the past year and the average cost of an attack was $1.1million.

The majority of organisations seem to have an outdated approach to cybercrime. They are stuck in their castles, building their firewalls while leaving the drawbridge open for anyone to come in. It puts data, systems and finances at risk, but it also puts companies in the line of fire of another growing threat – the regulators.

Regulatory Compliance

Regulators have come down hard on data privacy over the last few years and the arrival of General Date Protection Regulation (GDPR) could put firms in line for eye watering fines. The new rules put individuals in control of their own data and increase the requirements for companies to keep the data they hold safe. They must take all reasonable precautions to prevent an attack and, if a breach does occur, should inform the authorities within 72 hours. Failure to comply with these rules could incur a fine of anything up to 4% of turnover or €4 million. Earlier this year it emerged that Facebook could in in line for a fine of $2.2bn after it admitted storing customer passwords in plain text. At the same time, the company announced it was setting aside $3bn to cover the costs of a US privacy investigation.

These are huge numbers and while the world’s biggest social media giant could expect to survive such a blow, smaller organisations could face wipe out. What’s worse, each of those organisations which do not monitor the security measures of third parties could be exposed. Under the terms of GDPR, businesses will be liable for the security of all customer data even if it is being handled by a third party. In other words, even if you can show that a breach resulted because of mistakes made by someone else, the regulators will still hold you responsible. The implications for businesses could be catastrophic.

Reputational Damage

This also raises a difficult legal issue about where responsibility for an attack lies. In a complex network of interlinked partners questions will be raised about who should be at fault for an attack. For example, if one organisation suffers a breach because of issues with a supplier, they may decide to sue that company for damages. They in turn may sue other companies in their supply chain who they feel might have compromised their systems. It’s a breakdown of trust in which all parties are focusing on each other to establish where the blame lies.

If you’re a supplier to other organisations, failing to show effective security measures can be catastrophic for business. Just look at the troubles facing Indian outsourcing firm Wipro after reports that hackers infiltrated its systems to attack its own customers. Their customers have not been happy and have been taking their business elsewhere. In September 2018 Nebraska Department of Health and Human Services ordered Wipro to halt work on the upgrade to the State’s Medicaid systems. Wipro is now suing the organisation.

The impact on a firm’s reputation can be devastating. If you’re a business working as a supplier, failure to maintain the best security practices could be fatal. Although most organisations aren’t monitoring their suppliers closely that will change. Awareness is growing and cyber security will quickly become a standard part of any third-party due diligence. If you can’t pass these tests you may find yourself being shunned by existing and potential clients.

Preventing Attacks

Understanding the need to act is one thing. Doing it is something else. Untangling the complex web that is their network of relationships can be challenging. As we’ve already seen in this article, many would be pushed to even name the parties with which they work.

It requires a fresh approach and new mindset. To help businesses manage third party risks, the National Cyber Security Centre published a 12 point plan for how companies could mitigate risk. The plan is broken down into four different sectors.

  1. Understand the risks

– Understand the risks: Do some research and understand what risks are out there, what needs to be protected and why.
– Identify suppliers: Draw up a list of who exactly your suppliers are and what their security processes look like.
– Assess the risk: Quantify the risks your supply chain poses to internal systems.

  1. Establish control

– Communicate your vision: Once you understand the risk landscape, you should work with your suppliers communicating your expectations and requirements.
– Set minimum requirements: As part of a working contract, all suppliers should meet minimum levels of security.
– Make it part of your contracts: Build security considerations into your contracts and expect your partners to do the same.
– Raise awareness: Help others in your supply chain understand their risks and maintain the same high standards you are.
– Practice what you preach: Meet your own security standards when you yourself are working as a supplier.
– Provide support for all security incidents: If a breach does occur, you’ll need robust measures in place to minimise the damage.

  1. Check arrangements

As partnerships progress you should monitor ongoing compliance. Assurance activities should be built into all your ongoing supply chain management arrangements.

  1. Continuous improvements

– Encourage your suppliers to improve: Security is an ongoing issue. You will need to prioritise the threats you face and establish an ongoing strategy for maintaining defences. This means updating systems and adding patches as and when they become available and ensuring your suppliers do the same.

– Build trust with your suppliers: Both sides need to work together in order to build a sense of trust, understanding and collaboration.

As a business, you need to understand the full extent of your electronic relationships and this can be difficult, because relationships can go much further than you think. You might feel confident about your first-tier electronic partnerships but they also have electronic partnerships of their own, which may be vulnerable. This is where partnerships come into their own. While establishing requirements for them to handle security, you can share best practices so they can do the same to their own partners and suppliers.

As a business, you need to understand the full extent of your electronic relationships and this can be difficult, because relationships can go much further than you think. You might feel confident about your first-tier electronic partnerships but they also have electronic partnerships of their own, which may be vulnerable. This is where partnerships come into their own. While establishing requirements for them to handle security, you can share best practices so they can do the same to their own partners and suppliers.

Recovering from attacks

Every strategy should include provisions for what happens when an attack gets past your defences. You should have a cross functional discussion within your organisation and with third parties about what actions will be taken if an attack should occur. This includes how you will isolate and limit the damage done by malware and satisfy your reporting obligations to the regulators. For all your efforts to prevent defences being breached the attackers are likely to get lucky eventually. A good strategy should ensure that if and when they do you, are protected.

This is a complicated environment and the bad news is it’s not going to get any easier. The supply chain represents such a threat because it undermines all the inbuilt defences organisations have built. Companies can build watertight firewalls and end-to-end encryption, but these measures can be rendered useless by a partner whose own defences are weak. Individuals can be wary of incoming emails and links, but they will be fooled by a piece of software from a trusted provider. Cyber criminals have shown that, for every move made against them, they can give something back. It’s a constant battle in which there will never be a winner or a loser. The only hope is to ensure you can survive in the increasingly complex, connected and dangerous supply chain environment.

C-19 Cyber Resilience Service: