Top 3 cyber attacks on supply chains - lessons in fortifying your defences

The interconnected nature of today's world extends beyond physical goods. Our digital supply chains, the networks of vendors and software providers that keep our businesses running, are equally critical.  However, these connections create vulnerabilities that cybercriminals increasingly exploit through sophisticated supply chain attacks.   A recent Gartner report predicts that by 2025, 45% of global companies will face software supply chain attacks. In the Asia Pacific region, over 50% of companies have experienced two to five cybersecurity breaches in their supply chains; yet, alarmingly, only 38% consider software supply chain risk a key priority.

Furthermore, the increasing ransomware attacks on supply chains, including supposedly secure cloud providers, underscore the necessity of collaboration among major players to prepare against attack scenarios that could lead to widespread disruption.

What are supply chain attacks?

Supply chain attacks represent a strategic approach by cybercriminals to exploit vulnerabilities within interconnected systems, targeting structural single-point of failure that could lead to widespread outages. By compromising a seemingly innocuous automated vendor or software update with malicious payloads, attackers have successfully infiltrated a vast network of organisations, triggering widespread outages and financial and many other consequential losses.

These attacks underscore how cybercriminals' tactics are evolving and the importance of implementing multi-layered security measures beyond traditional perimeter defences. It's crucial for organisations to enforce strong access controls and to monitor their vendor ecosystems continuously for suspicious activity, including:

• IT infrastructure attacks: These attacks exploit vulnerabilities in software used throughout the supply chain, granting access to a network of organisations.
• Critical infrastructure attacks: These attacks target essential services like power grids, causing physical disruptions and damage in addition to IT woes.

Lessons from the trenches: Top 3 cyber-attacks on supply chains

Recent supply chain attacks have exposed critical weaknesses in organisations' management of their digital ecosystems. Let's delve into three major attacks — NotPetya (2017), Diamond Sleet (2023), and OKTA (2022) — to understand the common threads and security gaps they highlight.

NotPetya (2017) 

NotPetya was a devastating cyberattack in 2017. It masqueraded as ransomware but effectively functioned as destructive malware (better known as a wiper) that paralysed computer systems globally, causing widespread damage and financial losses.

Masquerading as ransomware, NotPetya was specifically designed for data destruction rather than theft. It infiltrated popular accounting software M.E. Doc, initially targeting Ukrainian businesses with malicious code injection. However, due to the interconnected nature of the global economy, the attack rapidly spread beyond its intended target, affecting thousands of organisations worldwide. The resulting chaos, damage and disruption was estimated in excess of U$10 billion, underlining the far-reaching impact and the pressing need for comprehensive security measures throughout supply chains.

This chilling reminder of the devastating consequences of supply chain attacks not only underscores the critical need for software integrity and robust security measures throughout the supply chain. More importantly, it also revealed the lack of appropriate insurance coverage against cyber-induced physical damage and disruption. Insurers had to quickly address the potential risk aggregation and respond to the issue of "silent cyber"– where non-cyber insurance policies might unintentionally cover a cyber event because of outdated wording that had not kept up with the evolving nature of cyber attacks.

SolarWinds(2020)

The 2020 Microsoft supply chain attack, known as SolarWinds, serves as a stark reminder of the vulnerability of even the most trusted technology providers. 

In this attack, detailed in various reports and analyses, threat actors compromised the systems of a third-party vendor involved in Microsoft's supply chain, injecting malicious code into legitimate software updates distributed by Microsoft. This incident impacted over 18,000 companies, some of whom were government agencies and large global companies. It not only resulted in significant financial losses due to remediation, legal liabilities, and potential regulatory fines but also caused severe operational disruptions, impacting productivity, customer service, and the reputation of affected organisations. 

Spending upward of $100 billion and many months to contain and fix the damage from the Russian hack underscores the critical importance of scrutinising and tightening security vendor management, software and platform dependencies with technology and through serious process redesign and overhaul.  In response, the insurance industry also began introducing rapid conditions and terms not only for Solarwinds but for all kinds of large-scale software and platform zero-day vulnerabilities being publicly reported.

OKTA (2022) 

This 2022 cyber incident demonstrates the growing sophistication of man-in-the-middle attacks targeting the IT infrastructure /supply chain. Hackers gained access to a subprocessor of Okta, a provider of identity and access management (IAM) solutions. By exploiting this access, they were able to view certain customer data but not directly compromise it. Later on, in 2023, through known vulnerabilities in the OCKTA platform, criminal groups breached some major companies, including several casino brands, with ransomware that racked up more financial losses stemming from containment, mitigation, interruption, and reputational damage.

This attack highlights cybercriminals' evolving tactics and the need for multi-layered security measures beyond traditional perimeter defences. Organisations must implement strong access controls and continuously monitor vendor ecosystems for suspicious activity. From an insurance standpoint, this is why insurers are highly concerned about interconnected system architectures, securing active directories, and managing clients' privileged identities before offering cyber insurance coverage.

Fortifying defences

The three attacks paint a clear picture: a single compromised vendor or software flaw can have a ripple effect across a vast network of organisations. 

The broader implications for organisations facing supply chain attacks are profound. Beyond immediate financial losses such as data breaches, operational disruptions, and reputational damage, these attacks can have far-reaching consequences. They erode trust in vendor networks, undermine customer confidence, and may even lead to legal liabilities and regulatory penalties. 

As such, fortifying defences against such attacks is crucial. Fortifying your defences is a multi-layered approach. While complete prevention may be a moving target, organisations can take proactive steps to strengthen their supply chain security posture:

Vendor Risk Management:

Implement robust procedures to evaluate and monitor suppliers' security practices. This includes conducting security assessments, requiring security questionnaires, performing penetration testing, and continuously monitoring vendor activities.

Patching Vulnerabilities Promptly:

To mitigate potential risks, prioritise timely software updates and patch vulnerabilities. However, given the rise of malicious software updates, consider conducting deeper scans and testing patches in sandboxes before deployment.

Multi-Factor Authentication (MFA) and Strong Access Controls:

Implement multi-factor authentication (MFA) and robust access controls to strengthen defences against unauthorised access. However, remain vigilant as cybercriminals continually devise sophisticated methods to bypass these security measures.

Security Awareness Training:

Promote a culture of cybersecurity awareness across all levels of the organisation. Regular training sessions can educate employees on identifying and reporting suspicious activities, empowering them to play an active role in defending against supply chain attacks.

Mitigating Cybersecurity Risks: How Cyber Insurance Can Help

While strong security practices are the cornerstone of supply chain resilience, even the most diligent organisations can face unforeseen breaches. This is where cyber insurance steps in, acting as an organisational resiliency booster in the event of a successful attack. But its role extends beyond simply covering costs.

Traditional cyber insurance policies often encompass specific coverages relevant to supply chain risks. These may include:

The benefits of cyber insurance go beyond financial protection. Many insurers offer valuable services like threat intelligence reports, vulnerability assessments, and incident response assistance. These resources can help organisations proactively identify and mitigate risks within their supply chain.  We are also equipped with tools that can help you evaluate your inherent and residual risks and losses within your supply chain, helping you determine the amount of risk to transfer to cyber insurance. All these, combined with government initiatives such as the Cyber Security Agency Singapore’s supply chain guidelines, are crucial for combating this looming epidemic. 

In conclusion, supply chain attacks represent a significant and evolving threat to organisations across industries. By implementing comprehensive security measures and adopting a proactive approach to risk management, businesses can better protect their supply chains from cyber threats and mitigate the potential impact of future attacks. Stay vigilant, stay proactive, and adapt to emerging trends in cybersecurity to safeguard your organisation's assets and reputation.

While not a substitute for robust security practices, cyber insurance can serve as a financial safety net in the event of a successful attack. A good broker can help you tailor a cyber insurance programme for losses that could result from various supply chain risk scenarios, including sophisticated ransomware.