Supply chain attack

[5] A supply chain is a system of activities involved in handling, distributing, manufacturing, and processing goods in order to move resources from a vendor into the hands of the final consumer.

[15] According to an investigation produced by Verizon Enterprise, 92% of the cyber security incidents analyzed in their survey occurred among small firms.

[17] In October 2008, European law-enforcement officials "uncovered a highly sophisticated credit-card fraud ring" that stole customer's account details by using untraceable devices inserted into credit-card readers made in China to gain access to account information and make repeated bank withdrawals and Internet purchases, amounting to an estimated $100 million in losses.

[19] While Muhammad Ali Nasir of the National University of Emerging Sciences, associates the above-mentioned risk with the wider trend of globalization stating "…due to globalization, decentralization, and outsourcing of supply chains, numbers of exposure points have also increased because of the greater number of entities involved and that too are scattered all around the globe… [a] cyber-attack on [a] supply chain is the most destructive way to damage many linked entities at once due to its ripple effect.

[25] The data breach of Target's customer information saw a direct impact on the company's profit, which fell 46 percent in the fourth quarter of 2013.

[32] The worm specifically targets systems that automate electromechanical processes used to control machinery on factory assembly lines or equipment for separating nuclear material.

The computer worm is said to have been specifically developed in order to damage potential uranium enrichment programs by the Government of Iran; Kevin Hogan, Senior Director of Security Response at Symantec, reported that the majority of infected systems by the Stuxnet worm were located in the Islamic Republic of Iran,[33] which has led to speculation that it may have been deliberately targeting "high-value infrastructure" in the country[34] including either the Bushehr Nuclear Power Plant or the Natanz nuclear power plant.

[35] Stuxnet is typically introduced into the supply network via an infected USB flash drive with persons with physical access to the system.

[36] In recent years malware known as Suceful, Plotus, Tyupkin and GreenDispenser have affected automated teller machines globally, especially in Russia and Ukraine.

[37] GreenDispenser specifically gives attackers the ability to walk up to an infected ATM system and remove its cash vault.

[39] The Tyupkin malware active in March 2014 on more than 50 ATMs at banking institutions in Eastern Europe, is believed to have also spread at the time to the U.S., India, and China.

[41] NotPetya is classified as a ransomware attack because it encrypted the hard-drives of affected computers and then demanded bitcoin payments in order to retrieve stolen files.

[42] The attack affected numerous industries across Ukraine including banks, an airport, and Chernobyl radiation detection systems.

[43] Police said that M.E.Doc could ultimately be held criminally responsible due to their negligence in acknowledging repeated messages regarding the status of their cybersecurity infrastructure.

The injected code was written specifically to route credit card information to a domain baways.com, which could erroneously be thought to belong to British Airways.

Magecart is a name attributed to multiple hacker groups that use skimming practices in order to steal customer information through online payment processes.

[50] Russian hackers targeted a piece software by SolarWinds called Orion, which several government agencies used to monitor their IT performance.

[57][58] Based on Volexity's reconstruction, Breaking Defense has published a simplified kill chain explaining the Exchange Server attack on an estimated 30,000 customers worldwide.

[63] The affected organizations use self-hosted e-mail (on-site rather than cloud-based) such as credit unions, town governments, and small businesses.

[76] By July 2021 the US government is expected to name the initiator of the Exchange Server attacks:[77] "China’s Ministry of State Security has been using criminal contract hackers".

[83] These attacks are progressively becoming more desirable to malicious actors as companies and agencies continue to move assets to cloud services.

[61] In March, 2023, the voice and video chat app 3CX Phone System was thought to have been subject to a supply chain attack due to detection of malicious activity on the software.

The app is used in a wide variety of industries from food to automotive and an attack has the potential to impact hundreds of thousands of users worldwide.

[97] If used in a malicious manner, this information could be used to monitor important government officials and track United States communications that are meant to be confidential.

The Department of State hack occurred due to vulnerabilities in Microsoft Exchange Server, classifying it as a supply-chain attack.

While the exploit remained dormant unless a specific third-party patch of the SSH server is used, under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely.

[107] The Comprehensive National Cybersecurity Initiative and the Cyberspace Policy Review passed by the Bush and Obama administrations respectively, direct U.S. federal funding for development of multi-pronged approaches for global supply chain risk management.

[110][111] According to Adrian Davis of the Technology Innovation Management Review, securing organizations from supply chain attacks begins with building cyber-resilient systems.

[113] In March 2015, under the Conservative and Liberal democratic government coalition, the UK Department for Business outlined new efforts to protect SMEs from cyber attacks, which included measures to improve supply chain resilience.

[115][116] The Depository Trust and Clearing Group, an American post-trade company, in its operations has implemented governance for vulnerability management throughout its supply chain and looks at IT security along the entire development lifecycle; this includes where software was coded and hardware manufactured.

A basic diagram of a supply chain network, which shows how goods are moved from the raw materials stage to being acquired by the end consumer
An image of a Target brick-and-mortar store, where a supply chain attack exposed the financial information of 40 million customers between 27 November and 15 December 2013
Model of the Bushehr Nuclear Power Plant – in the Iranian pavilion of EXPO 2010 Shanghai