EXECUTIVE SUMMARY:

The European Union Cybersecurity Agency (ENISA) reports that supply chain attacks may increase by four-fold in the remainder of 2021. Advanced persistent threat actors (APTs) are developing alarmingly sophisticated methodologies for approaching and overwhelming attack targets.

In an ENISA-sponsored study, researchers found that older frameworks used to defend against supply chain attacks no longer provide adequate security. In other words, organizations must find new means of securing against supply chain threats.

Key ENISA report findings

Researchers observed that more than 50% of recent supply chain attacks emanated from established advanced persistent threat actors. These groups included APT29, APT 41, Thallium, Lazarus, TA413 and TA428, among others. In 62% of analyzed attacks, cyber criminals exploited supplier trust in order to reach critical access points. Additional takeaways:

  • 20% of supply chain attacks targeted data
  • 12% of attackers focused on suppliers’ internal processes
  • 16% of attacks targeted people
  • 8% of attacks sought out financial assets
  • In over 60% of attacks, threat actors deployed malicious code

ENISA best practices

In the report, ENISA advised organizations to track information about suppliers and service providers, and to define a risk criterion for these groups. Suppliers should be managed across the entire product lifecycle. In addition, traditional cyber security best practices should be adhered to. These include monitoring vulnerabilities, inventorying assets and patch management.

Recent transitions to cloud architectures may exacerbate the supply chain risk. Hasty digital transformations in the wake of the coronavirus pandemic may have turned certain infrastructure into easy targets for cyber criminals.

Supply chain attack vectors

According to the ENISA report, two-thirds of supply chain attack victims did not have information about or were not transparent about attack details. Insights into how compromises took place remained thin.

In contrast, among customers analyzed within ENISA’s report, 91% of customers compromised via supply chain attacks generally recognized how the attacks unfolded. The disparity between supply chain victims’ knowledge and customers’ knowledge about attacks reflects an incident reporting gap. ENISA warns that lack of transparency within supply chain reporting may yield negative repercussions down the line.

Supply chain vulnerabilities vs. attacks

Supply chain vulnerabilities are not synonymous with supply chain attacks. A new vulnerability within a supply chain system could have been introduced accidentally and may not lead to compromise.

In 2021, ENISA anticipates a 4X increase in supply chain attacks. We must work together. #Collaborativesecurity #cybersecurity Click To Tweet

How supply chain attacks serve hackers

Supply chain attacks appeal to hackers due to the high volume of information that they can gather through a single hacking initiative. For example, in a supply chain attack, hackers may not only gain access to an organizations’ financial records and banking details, they can also collect names of clients and client email addresses. In turn, they retain the capacity to exploit a small treasure trove of data for their own purposes.

In summary

Between 2020 and 2021, supply chain attacks increased in quantity and in sophistication. In 2021, experts expect to see a continuation of this trend. In the SolarWinds supply chain attack of late 2020, as many as 18,000 organizations were affected. Is your organization prepared for a 4X increase in supply chain attacks?

Get a comprehensive overview of the SolarWinds supply chain attack here. For the full ENISA report, click here. To discover how to protect your organization from supply chain attacks, read our whitepaper. Lastly, sign up for the Cyber Talk newsletter here.