Enterprise cybersecurity

Why cybercriminals love to attack supply chains, and how to stop them

Big businesses are often cybersecurity savvy, so cybercriminals have started attacking them through smaller suppliers. But there are ways to stop it.

Share article

The bigger the business, the more suppliers. And as businesses use more and more internet-connected devices like printers, point-of-sale terminals and even air conditioning, cybercriminals have more ways in.

One way to stop cyberattacks is to invest in cyber defenses like software, people and training. Most large enterprises know they could be targets and have prioritized cybersecurity. So, many cybercriminals have turned to compromising smaller businesses that supply larger businesses to get to their real target.

Tomorrow Unlocked’s video Target the Supply Chain looks at supply chain attacks and how to prevent them, with supply chain attacks expert Eliza-May Austin, CEO and co-founder of  th4ts3cur1ty.company (That Security Company.)

What is a supply chain attack?

A supply chain cyberattack is when cybercriminals compromise a smaller supplier of a larger business, intending to eventually attack the larger business. These attacks aren’t new, but they’re becoming more common and harder to detect.

In Target the Supply Chain, Austin explains how cybercriminals stole 40 million people’s card details from US retail giant Target. It started when an employee at Target’s air conditioning supplier clicked a link in a phishing email, injecting malware into their system.

Target had remote access to monitor their air conditioning units, and that remote access was through the same network where cybercriminals could access personal data from point-of-sale devices. The attack cost Target some 61 million US dollars.

In 2017, Kaspersky researchers found a ‘backdoor’ in the server management software hundreds of large businesses use. When activated, the backdoor let attackers steal data. Researchers notified the suppliers, NetSarang, who pulled down the compromised software and replaced it with a clean version.

Sometimes, there is no clean version. Noushin Shabab, Senior Security Researcher at Kaspersky, says supply chain attacks can start in software development. “Cyberattackers can compromise software by getting inside software used by developers. That way, malicious code can end up on many businesses’ networks.”

How to protect against supply chain attacks

Austin’s start-up works with suppliers to larger corporations to ‘harden’ (better protect) their whole supply chain from attack. She says, “We can prevent about 80 percent of attacks with basic cyber-hygiene. Make sure your software and hardware is up-to-date. Limit your ‘attack surface’ – if something needn’t be online, don’t put it online. Audit passwords, making sure they’re complex. Have two-factor authentication. Employees can be the weakest link in a company, but with good cybersecurity training, they can be the strongest.”

Threat hunting also helps prevent supply chain attacks. Kaspersky’s Nikolay Pankov says, “A sophisticated targeted attack can implant malware and stay under the radar for a long time. To prevent those attacks, you need experienced threat hunters.” As getting these skills in-house can be challenging at the best of times, using a targeted attack discovery service is a good option for businesses of all sizes.

Cybercriminals are nothing if not flexible and adaptable. They’ve adapted to growing cybersecurity awareness in enterprises by compromising smaller suppliers. But by using their growing cybersecurity awareness, larger companies can protect themselves even more by looking further afield and working with their smaller suppliers to protect both businesses.

Kaspersky Targeted Attack Discovery

Get a compromise assessment to uncover past and ongoing attacks and find out if your detection and prevention systems are enough.

About authors

Suraya Casey is a freelance writer, editor and content strategist based in New Zealand. Her interests include cybersecurity, technology, climate, transport, healthcare and accessibility.