Threat Landscape for Supply Chain Attacks

Supply chain attacks have been a security concern for many years, but the community seems to have been facing a increased number of more organized attacks since 2020. It may be that, due to the more robust security protection that organizations have put in place, attackers have shifted towards suppliers and managed to cause significant impact in terms of the downtime of systems, monetary losses and reputational damages, to name but a few. This report aims at mapping and studying the supply chain attacks that were discovered between January 2020 and early July 2021.

The devastating and ripple effect of supply chain attacks was seen in full force with the SolarWinds attack. SolarWinds is considered one of the largest supply chain attacks of the last few years, particularly taking into account the affected entities that included governmental organizations and large corporations. It received great media attention and led to policy initiatives around the globe. More recently, in July 2021 the Kaseya attack manifested itself and raised the need for further and dedicated attention to supply chain attacks affecting managed service providers. Unfortunately, these two examples are not isolated cases and the number of supply chain attacks has been steadily increasing over the last year. This trend further stresses the need for policymakers and the security community to devise and introduce novel protective measures to address potential supply chain attacks in the future and to mitigate their impact.

Through a careful survey and analysis, this report maps supply chain attacks based on incidents identified from January 2020 to early July 2021. Each incident has been broken down into its key elements, such as the attack techniques and assets of both suppliers and customers alike that are affected by adversaries. The introduction of a taxonomy for supply chain attacks will facilitate their classification and may be the starting point for a more structured approach in analysing such attacks and coming up with dedicated security controls to mitigate them. The proposed taxonomy also helps to classify, compare and discuss these attacks using a common ground. The similarities between the proposed taxonomy and other well-known frameworks are discussed.

This report also analyses the similarities between the lifecycle of supply chain attacks and the more well-known attacks by Advanced Persistent Threats (APTs). A summary of the most prominent supply chain incidents since 2020 is included in the Annex, each of which has been decomposed in accordance with the aforementioned taxonomy.

The core of the report is an analysis of all the reported supply chain incidents to identify their key characteristics and techniques. The analysis answers the questions: what are the most common attack techniques being used in supply chain attacks, what are the main customer assets that attackers are after, and which is the relationship between attacks and assets targeted?

With the rise in attention being paid to supply chain attacks, many other related security incidents were also highlighted as being related to the supply chain, namely they were assumed to be supply chain attacks. We therefore discuss what constitutes a supply chain attack and why many attacks are not really supply chain attacks, showing some cases as examples. Understanding the threat landscape concerning supply chain attacks is important since misclassification of incidents may lead to erroneous trend analysis and conclusions.

The report also includes a set of recommendations aimed at policymakers and organizations, in particularly suppliers, the adoption of which may increase the overall security posture against supply chain attacks.