What is a supply chain attack?

During a supply chain attack, attackers exploit third-party dependencies in order to infiltrate a target’s system or network.

Learning Objectives

After reading this article you will be able to:

  • Define ‘supply chain attack’
  • Explain how a supply chain attack is carried out
  • Learn how to stop supply chain attacks

Copy article link

What is a supply chain attack?

A supply chain attack uses third-party tools or services — collectively referred to as a ‘supply chain’ — to infiltrate a target’s system or network. These attacks are sometimes called “value-chain attacks” or “third-party attacks.”

By nature, supply chain attacks are indirect: they target the third-party dependencies that their ultimate targets rely on (often unknowingly). A dependency is a program or piece of code (often written in JavaScript) from third-party providers that enhances application functionality. A dependency used by an ecommerce retailer, for instance, might help run customer assistance chatbots or capture information about site visitor activity. Hundreds, if not thousands, of these dependencies can be found in a broad range of software, applications, and services that targets use to maintain their applications and networks.

In a supply chain attack, an attacker might target a cybersecurity vendor and add malicious code (or ‘malware’) to their software, which is then sent out in a system update to that vendor’s clients. When the clients download the update, believing it to be from a trusted source, the malware grants attackers access to those clients’ systems and information. (This is essentially how the SolarWinds attack was carried out against 18,000 customers in 2020.)

How is a supply chain attack carried out?

Before a supply chain attack can be carried out, attackers need to gain access to the third-party system, application, or tool they plan to exploit (also known as an “upstream” attack). This may be done by using stolen credentials, targeting vendors with temporary access to an organization’s system, or exploiting an unknown software vulnerability, among other methods.

Once access to this third-party dependency has been secured, the “downstream” attack — the attack that reaches the ultimate target, often via their browser or device — can be carried out in a variety of ways.

Returning to the previous example, the “upstream” attack occurs when the attacker adds malicious code to the software of a cybersecurity vendor. Then, the “downstream” attack is performed when that malware executes on end-user devices via a routine software update.

What are common types of supply chain attacks?

Supply chain attacks may target hardware, software, applications, or devices that are managed by third parties. Some common attack types include the following:

Browser-based attacks run malicious code on end-user browsers. Attackers may target JavaScript libraries or browser extensions that automatically execute code on user devices. Alternatively, they may also steal sensitive user information that is stored in the browser (via cookies, session storage, and so on).

Software attacks disguise malware in software updates. As in the SolarWinds attack, users’ systems may download these updates automatically — inadvertently allowing attackers to infect their devices and carry out further actions.

Open-source attacks exploit vulnerabilities in open-source code. Open-source code packages can help organizations accelerate application and software development, but they may also allow attackers to tamper with known vulnerabilities or conceal malware that is then used to infiltrate the user’s system or device.

JavaScript attacks exploit existing vulnerabilities in JavaScript code or embed malicious scripts in webpages that automatically execute when loaded by a user.

Magecart attacks use malicious JavaScript code to skim credit card information from website checkout forms, which are often managed by third parties. This is also known as “formjacking.”

Watering hole attacks identify websites that are commonly used by a large number of users (e.g. a website builder or government website). Attackers may use a number of tactics to identify security vulnerabilities within the site, then use those vulnerabilities to deliver malware to unsuspecting users.

Cryptojacking allows attackers to steal computational resources needed to mine cryptocurrency. They can do this in several ways: by injecting malicious code or ads into a website, embedding cryptomining scripts into open-source code repositories, or using phishing tactics to deliver malware-infected links to unsuspecting users.

How to defend against supply chain attacks

Any attack that exploits or tampers with third-party software, hardware, or applications is considered a supply chain attack. Organizations typically work with a variety of outside vendors, each of whom may use dozens of dependencies in their tools and services.

For that reason, it may be difficult, if not impossible, for organizations to completely insulate themselves from supply chain attacks. However, there are several strategies organizations can use to preemptively defend against common attack methods:

  • Run a third-party risk assessment: This may include testing third-party software prior to deployment, requiring vendors to adhere to specific security policies, implementing Content Security Policies (CSP) to control which resources a browser can run, or using Subresource Integrity (SRI) to check JavaScript for suspicious content.
  • Implement Zero Trust: Zero Trust ensures that every user — from employees to contractors and vendors — is subject to continuous validation and monitoring inside an organization’s network. Verifying user and device identity and privileges helps ensure that attackers cannot infiltrate an organization simply by stealing legitimate user credentials (or move laterally within the network if they do breach existing security measures).
  • Use malware prevention: Malware prevention tools, like antivirus software, automatically scan devices for malicious code in order to prevent it from executing.
  • Adopt browser isolation: Browser isolation tools isolate (or sandbox) webpage code before it executes on end-user devices, so any malware is detected and mitigated before it reaches its intended target.
  • Detect shadow IT:Shadow IT’ refers to applications and services employees use without the approval of their organization’s IT department. These unsanctioned tools may contain vulnerabilities that cannot be patched by IT, since they are unaware of their use. Using a cloud access security broker (CASB) with shadow IT detection capabilities can help organizations better catalog the tools their employees are using and analyze them for any security vulnerabilities.
  • Enable patching and vulnerability detection: Organizations that use third-party tools have a responsibility to ensure that those tools are free from security vulnerabilities. While identifying and patching every vulnerability may not be possible, organizations should still do their due diligence to find and disclose known vulnerabilities in software, applications, and other third-party resources.
  • Prevent zero-day exploits*: Often, supply chain attacks make use of zero-day exploits that have not been patched yet. While there is no foolproof method for anticipating zero-day threats, browser isolation tools and firewalls can help isolate and block malicious code before it executes.

*Stopping zero-day exploits is still a particularly challenging task for most organizations. In 2021, a zero-day vulnerability was discovered in Log4j, an open-source software library that helps developers log data within Java applications. This allowed attackers to infect and control hundreds of millions of devices, from which they then carried out further attacks, including ransomware attacks and illegal cryptomining. Read more about how Cloudflare defends against the Log4j vulnerability.

How does Cloudflare stop supply chain attacks?

Cloudflare Zero Trust helps thwart supply chain attacks by blocking access to potentially risky websites, preventing malicious uploads and downloads, and auditing the SaaS applications (both approved and unapproved) within your organization.

Cloudflare Zaraz is a third-party tool manager that loads applications in the cloud, so malicious code cannot execute on the end-user browser. Zaraz gives users visibility into and control over the third-party scripts that run on their sites, enabling them to isolate and block risky behavior.