The European Union has forecast there will be four times more software supply chain attacks in 2021 than there were in 2020, as cybercriminals shift to larger, cross-border targets.
The European Union Agency for Cybersecurity – also known as ENISA – has published a new study analyzing the anatomy of a supply chain attack following a number of high-profile incidents in recent months.
The report (PDF), titled ‘Threat Landscape for Supply Chain Attacks’, looked at 24 such incidents that have occurred between January 2020 and July 2021.
One for all, all for one
Among the findings, ENISA revealed that around 50% of the supply chain attacks studied were attributed to know APT groups, while 42% were not attributed to a particular source.
The study also determined that the attackers’ main motivations lay in gaining access to source code and customer data.
The EU-funded study came in the wake of two major cyber-attacks that have made headline news in the past 12 months.
Firstly, the SolarWinds incident saw attackers exploit known vulnerabilities in the IT software Orion, used to manage servers at organizations including various arms of the US government, threat response firm FireEye, and Microsoft.
The attacks – which may have begun as early as March 2020 but were only detected in December that year – have been linked to Russian state-sponsored threat group APT29 (AKA ‘Cozy Bear’).
The group demanded a $70 million ransomware payment, which Kaseya denied it has paid.
The ENISA report reads: “Unfortunately, these two examples are not isolated cases and the number of supply chain attacks has been steadily increasing over the last year.
“This trend further stresses the need for policymakers and the security community to devise and introduce novel protective measures to address potential supply chain attacks in the future and to mitigate their impact.”
Known incidents
A timeline of the events in the study details the level of impact from these incidents and identifies those who are thought to have been behind the attacks.
A timeline of the attacks studied in the report The report stated that 66% of supply chain attacks were committed by exploiting an unknown vulnerability, while 16% leveraged known software vulnerabilities.
Most attacks during the specified timeline aimed to compromise code (66%), followed by data (20%), and processes (12%).
Independently of the technique used, most supply chain attacks aimed at gaining access to customer data (58%), key people (16%) and financial resources (8%).
Classifying cases
The report’s authors also proposed introducing a taxonomy – a scheme of classification – for mapping supply chain attacks by identifying what has happened, and how.
It takes into account the supplier and the customer, pinpointing what assets were targeted and what techniques were used to gain access.
The report’s authors proposed a taxonomy for supply chain attacks
“For each of these four distinguishing elements in the taxonomy, we have defined the elements that better characterize a supply chain attack,” the report states.
“By selecting the corresponding elements, it is possible to have a better understanding of what is known or not known about an attack.”
The authors also noted that the taxonomy is “conceptually different” from the Mitre ATT&CK framework, and aims to complement it rather than replace it.
Serious risk
The report’s authors concluded that the recent shift towards supply chain attacks is likely to significantly increase the risk this year. Four times more supply chain attacks are expected to take place in 2021 than in 2020.
“The inherent global nature of current supply chains increases the potential impact of these attacks and broadens the attack surface for malicious actors.”
Increasing the risk is the fact that a large number of attack vectors (66%) in the incidents investigated still remain unknown.
“A lack of transparency or the ability to investigate poses a serious risk to the trust of the supply chain,” wrote the authors, adding that “improving the process of transparency and accountability is the first step to improving the security of all elements in the supply chain and protecting final customers”.
Finally, the report recommends that EU Member States “establish good practices” and coordinated actions “to reach a common level of security”.