Organisations are constantly being targeted in new ways. Instead of direct attacks, they are increasingly falling victim to attacks via their supply chain. This is worrying, as such events are harder to detect and prevent, especially when most incidents are kept secret.
Means to an end
The Financieel Dagblad (Dutch equivalent to the Financial Times) interviewed HSD partners Cybersprint, Deloitte and Secura on the growing risks of supply chain attacks. Together, they explain that hackers use these third parties as the first step of their attack, as it provides them with a way into many of the connected organisations. Next, they can either move on to their intended target, or use the intel to select individual organisations.
This was also the case with the SolarWinds incident last year, and other software suppliers such as CCleaner in 2017. Hackers can then send malicious ‘software updates’ to their clients, and install ransomware to gain access and encrypt valuable data.
Cases kept confidential
Unfortunately, many of the past supply chain attacks are never shared with the public. A reason could be that the targeted supplier and organisation are unaware of the origin of the attack. Another explanation is that the information is kept secret on purpose. “There is a lot of activity,” Eward Driehuis from Cybersprint says. “However, there aren’t any exact figures as attacks often remain unreported and the people involved sign non-disclosure agreements.”
Following the article, Eward expanded on the topic on BNR news radio. Here, he elaborated on the reasons why these cases are kept confidential, and why it’s hard to determine the motives and identity of the attackers. Is it for financial gain? Or corporate espionage by nation state actors? Listen to his explanation here (in Dutch).
Frank Groenewegen from Deloitte and Matthijs Koot from Secura both plead for better information sharing between third parties, intelligence services, governments and the different organisations they are connected to. That would provide for better insights into these kind of attacks, helping to prepare for future incidents. Adam Meyers from an American cybersecurity company called ''Crowdstrike'' and Steven Dondorp CEO of Northwave both state that digital spionage forms a threat for the Dutch economy.
Controlling third-party risk
Unfortunately, it’s hard to defend against a supply chain attack. It’s virtually impossible to conduct a full security check on all suppliers using audits and questionnaires. These methods only provide static information and snap-shot results.