Supply chain attacks: steps to neutralizing the threat

Supply chain attacks occur in the world of software, and often with much broader reach

On September 17, 2024, Lebanon was rocked by a series of small but lethal explosions. In the aftermath, rumors and half-truths blew up in the news as agencies scrambled to be the first to report on the attack. What was clear was that communication devices used by Hezbollah had been detonated, performing a targeted attack on Hezbollah personnel. What was unclear was how this attack had been carried out, and whether this was a sign that communication devices used by normal consumers could also be at risk. 

Eventually, the story solidified: The exploding devices were not smartphones but pagers. Hezbollah had begun using this older, more basic technology in the hope that it would make it harder for adversaries to intercept their communications. They ordered a large batch of pagers from a supplier and put them into service. This was a mistake. 

Specifically, the mistake was trusting a supplier without vetting either the company or the product that was delivered. Some actor, presumed to be Israeli intelligence, performed what is called a supply chain attack. This is an attack where a target is compromised by attacking a trusted partner who supplies resources to the target. In the case of the pagers, the attack does not appear to have been some sophisticated piece of software engineering, but rather adding explosives inside the physical hardware that was delivered to Hezbollah.

Such an attack may sound remote from the concerns of businesses in the U.S. who — we would hope — are not being lethally targeted by intelligence agencies. However, supply chain attacks occur in the world of software as well, and often with much broader reach. 

Digital supply chain attacks: the case of SolarWinds

One of the farthest-reaching digital supply chain attacks yet was the SolarWinds hack. SolarWinds is a large company, though not well known outside of IT circles, since their products are used to manage and monitor networks. Because their software is widely used by businesses and the government, it is an extremely valuable target for attackers, and in 2019 a group of hackers went on the offensive.

Over a period of about six months, hackers infiltrated SolarWinds’s network and added their own code into the SolarWinds Orion network management platform. When an updated version of Orion was pushed to customers, it included the malware, and this gave the attackers a backdoor into every network using the software. It took months for the attack to be discovered, as large enterprises and government agencies noticed malicious activities in their networks but were unsure of the source. When at last the pieces came together, the news caused shockwaves in the IT world. 

Only after the cleanup had finished could the full impact of the attack finally be understood. Not only had companies lost sensitive data and internal communications, they had been forced to rethink their network security, which cost time and money.

A post-attack report by IronNet found that, for affected companies, the attack cost an average of 11% of their annual revenue. This would be bad enough if the SolarWinds attack were an isolated incident, but such attacks occur regularly through both proprietary software and open-source projects, and so organizations need to include their supply chain when addressing their overall security. 

What can organizations do to secure their supply chain?

Fortunately, organizations can substantially reduce their risk of being attacked through the supply chain by following some straightforward best practices:

• When shopping for new technology, check the reputation of different vendors. Are there articles or reviews online mentioning their security? 
• Ask vendors about their security practices. Do they have their network security tested? Does their technology undergo third-party security testing? Are there security test reports the vendor can share? 
• Make sure your IT team knows all of the different technologies in use on your network. Otherwise, you may be at risk without knowing it. 
• Have your own network or web applications tested for security issues whenever new technology is incorporated. Often, the addition of new software or systems will break existing security configurations without warning. 
• Regularly test your own network or web application for security issues even when no major change has been made. Small changes can add up over time to create security holes.

Ultimately, security is a matter of maintaining a set of good habits, such as those listed above. The pager attacks in Lebanon serve as a reminder that one of the most important habits is carefully vetting any technology you add into your network. 

Pulsar Security is a team of highly skilled, offensive cybersecurity professionals with the industry’s most esteemed credentials and advanced, real-world experience. We deliver tailored services to large corporations, small-to-medium enterprises, and government organizations. We help them succeed despite constantly evolving threats in an era of digital transformation and cognitive innovation (AI). Partnering with us will help you build a cybersecurity posture that promotes growth, innovation and proficiency.