Supply chain attack

A basic diagram of a supply chain network, which shows how goods are moved from the raw materials stage to being acquired by the end consumer

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain.[1] A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector.[2] A supply chain attack can happen in software or hardware.[3] Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components.[4] Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.[5]

A supply chain is a system of activities involved in handling, distributing, manufacturing, and processing goods in order to move resources from a vendor into the hands of the final consumer. A supply chain is a complex network of interconnected players governed by supply and demand.[6]

Although supply chain attack is a broad term without a universally agreed upon definition,[7][8] in reference to cyber-security, a supply chain attack can involve physically tampering with electronics (computers, ATMs, power systems, factory data networks) in order to install undetectable malware for the purpose of bringing harm to a player further down the supply chain network.[2][4][9] Alternatively, the term can be used to describe attacks exploiting the software supply chain, in which an apparently low-level or unimportant software component used by other software can be used to inject malicious code into the larger software that depends on the component.[10]

In a more general sense, a supply chain attack may not necessarily involve electronics. In 2010 when burglars gained access to the pharmaceutical giant Eli Lilly's supply warehouse, by drilling a hole in the roof and loading $80 million worth of prescription drugs into a truck, they could also have been said to carry out a supply chain attack.[11][12] However, this article will discuss cyber attacks on physical supply networks that rely on technology; hence, a supply chain attack is a method used by cyber-criminals.[13]

  1. ^ Cite error: The named reference csOnline was invoked but never defined (see the help page).
  2. ^ a b Cite error: The named reference :1 was invoked but never defined (see the help page).
  3. ^ "Supply chain attacks". docs.microsoft.com. Retrieved 10 April 2022.
  4. ^ a b "New malware hits ATM and electronic ticketing machines". SC Magazine UK. Retrieved 29 October 2015.
  5. ^ "2019 Internet Security Threat Report Executive Summary". Broadcom. Retrieved 23 November 2021.
  6. ^ "Supply Chain Definition | Investopedia". Investopedia. Retrieved 4 November 2015.
  7. ^ Supply chain, cyber security and geo-political issues pose the greatest risks, as risk goes up in importance and profile say risk managers at sword active risk conference. (28 July 2015). M2 Presswire Retrieved on 2015-11-4
  8. ^ Napolitano, J. (6 January 2011). How to secure the global supply chain. Wall Street Journal Retrieved on 2015-11-4
  9. ^ Cite error: The named reference :3 was invoked but never defined (see the help page).
  10. ^ Goodin, Dan (24 June 2024). "Backdoor slipped into multiple WordPress plugins in ongoing supply-chain attack". Ars Technica. Retrieved 25 June 2024.
  11. ^ "Drug theft goes big". Fortune. Retrieved 4 November 2015.
  12. ^ "Solving the Eli Lilly Drug Theft". www.securitymagazine.com. Retrieved 4 November 2015.
  13. ^ Cite error: The named reference :4 was invoked but never defined (see the help page).