Though the evolution of cyber threats (1) dates back to 2013 when Iranian hackers breached the Bowman Avenue Dam in New York and seized control of the dam’s floodgates, the year 2021 is generally recognized as the benchmark year for cyber attacks on digital supply chains. The month of May 2021 witnessed a series of hacks that sent organizations and nations into panic mode as digital supply chains in the oil & gas, food, chemical, and healthcare sectors were hit.
Chaos of an unheard kind ensued when REvil, a Russian-backed hacker group inflicted the biggest-ever ransomware attack on US operations of the JBS food chain, the world’s largest multi-meat processing company, causing immense meat shortages and panic buying. A ransom of USD 11 million was paid to the hackers in Bitcoin to restore the services. In the same month, DarkSide, another Russian-backed terrorist hacker group, breached the internal systems controlling Colonial Pipeline’s billing and supplies in a ransomware attack that resulted in shortages of gasoline supplies to the East Coast of the US. DarkSide went on encrypt German chemical distributor Brenntag’s North American division network, stealing unencrypted files, and successfully extracting a ransom of USD 4.4 million in Bitcoin for the encryption key.
In July of the same year, REvil exploited a vulnerability in the Kaseya software (2) deployed in over 800 Swedish grocery stores, kindergarten schools in New Zealand, and two Maryland local governments, once again causing unprecedented panic. Though in most of these cases, timely remedial action was taken by vigilant staff, the attacks drew comparison with the attacks of a few months earlier, and painfully brought home the point that digital supply chains provide the perfect attack vectors for hackers.
Almost all major industries and sectors from healthcare, manufacturing, banking, retail, food, chemicals, infrastructure, and oil & gas have experienced an attack on their supply chains. Attacks are on the increase around the globe. Forbes (3) cites a report by the BSI Group, which puts the increase in ransomware attacks on supply chains in the last 3 years at 66% worldwide. Cloud Security Alliance (CSA) (4) states that over 80% of all recorded security breaches have at some point or another occurred in the supply chain network of manufacturers, partners, suppliers, and service providers. Deloitte (5) says that 40% of manufacturers had their operations affected by a cyber incident during 2019. And Gartner (6), in its top cyber trends for 2022, called for organizations and supply chain partners to seriously look at best supply chain security practices, predicting that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.
How they work
The huge data networks and procurement platforms associated with digital supply chains provide the perfect attack vectors for threat actors. Attacks take the form of zero-day hacks as in the JBS Foods and Colonial Pipeline cases cited above or known system vulnerabilities that are exploited by hacker groups. System breaches can also occur via phishing campaigns aimed at unsuspecting employees, as in the Google and Facebook hacks of 2015 (7). Many hacker groups like REvil and DarkSide are known to offer Ransomware as a Service (RaaS) (9) to other hacker groups looking to orchestrate digital supply attacks. They are also known to indulge in double extortion (8), a ransomware process where the data of the victim is initially exfiltrated and encrypted, followed by a ransom demand for a decryption key. The group then demands a further ransom, threatening to leak data to willing buyers again, should the ransom not be paid.
Paying the ransom is no guarantee for full decryption or return of the exfiltrated data. A 2021 study by Cloudwards shows that out of the 37% of organizations hit by ransomware attacks, some 32% paid the ransom, but could retrieve only 65% of their data.
Addressing the risks
The prompt response of the Biden Administration when it released its Executive Order on Improving the Nation’s Cybersecurity immediately following the Solar Winds, JBS Foods, and the Colonial Pipeline hacks, underscored the US Government’s commitment to the menace. The National Cyber Security Center (NCSC) (10) released guidelines for organizations in response to the rise in supply chain attacks. ZD Net however believes that most organizations are not ready to face threats, despite knowing the dire consequences of a data breach.
Looking back, the stage had already been set a while ago with the advent of digitalization which resulted in the creation of massive amounts of sensitive data that organizations share with their suppliers over the cloud and other platforms – data that is ripe for the picking by scamsters and hacker groups. Organizations would do well to remember that a digital supply chain is only so strong as its weakest link. Therefore, they must follow best practices by implementing secure operational and logistical strategies that will avert the threat of disruptions to their supply chains. Forbes (3) recommends that organizations look at the following touchpoints:
- Ongoing audit of the organization’s suppliers and the systems they follow, with a view to identifying and remediating cybersecurity risks and gaps
- Full-fledged review before onboarding new devices, systems, and solutions with a view to fully understanding any vulnerabilities
- Across-the-board cyber resilience efforts and compliance
The World Economic Forum (WEF) (5) articulates three principles to achieve cyber resilience of organizational supply chains, which will in turn also help increase the digital trust levels of the organization.
- Embed security and privacy in the procurement process and life cycle, complemented by well-structured procurement contracts that contain precise clauses that enforce cybersecurity compliance
- Adopt a risk-based approach to onboarding suppliers and third-party service providers, by understanding their security postures and ecosystems
- Implement a stringent source code policy that eliminates the risks surrounding the development, management, and distribution of software code developed by or for the organization
Tackling Digital Supply Chain attacks remains a herculean task, with the number and the complexities of digital platforms, exponential business, and data volumes, arguably less-than-desired focus at management levels, and a general lack of awareness. The situation is not helped by the fact that bad actors have proliferated and potentiated their attacks.
Yet some see hope in Cyber AI (11) – a force multiplier that enables organizations not only to respond faster than attackers can move but also to anticipate these moves and react to them in advance. Drawing on AI’s ability to detect new patterns, Cyber AI can accelerate detection, containment, and response by SOC analysts. The technology is still in its nascent stages but is expected to achieve maturity as the push for AI continues.
Discover the unstoppable power of DEFEND and PlurilockAI, the ultimate AI-generated tools that crush security threats. Get in touch with email@example.com or call (888) 282-0696 to experience the unmatched protection that Aurora, a proud member of the Plurilock family, delivers through these groundbreaking solutions.
- Attacks on Critical Infrastructure – An Uphill Battle | Aurora (aurorait.com)
- 3 Strategies to Secure Your Digital Supply Chain (hbr.org)
- Overcoming Supply Chain And Cyber Vulnerabilities Through Digital Trust (forbes.com)
- Supply Chain Challenges and Digital Threats | CSA (cloudsecurityalliance.org)
- 3 principles to reinforce digital trust in supply chains | World Economic Forum (weforum.org)
- Gartner Top Security and Risk Trends in 2022
- The Endless Need for Employee Education and Awareness in Cybersecurity | Aurora (aurorait.com)
- What Is Double Extortion Ransomware? (heimdalsecurity.com)
- Ransomware – Next Level Malware | Aurora (aurorait.com)
- Supply chain hacks are on the rise. But most companies aren’t prepared | ZDNET
- The future of cybersecurity and AI | Deloitte Insights