Why are cyber attackers targeting supply chains?

Some reflex­es are start­ing to kick in. An email offers us a sus­pi­cious link redi­rect­ing us to a page where we have to fill in our login details? We smell the trap of a phish­ing attack, and we don’t click. An SMS to change the deliv­ery address of a par­cel? Delet­ed before it’s even been read! How­ev­er, this has not pre­vent­ed the num­ber of phish­ing attacks from tripling between 2020 and 2021¹, until the record year of 2023 when the APWG (Anti-Phish­ing Work­ing Group) record­ed “almost 5 mil­lion attacks”.

How­ev­er, this is not the most wor­ry­ing aspect. Because while cyber­crim­i­nals con­tin­ue to exploit human weak­ness­es to gain access to bank accounts or sen­si­tive com­pa­ny data, anoth­er threat is loom­ing in the shad­ows, still large­ly unknown to the gen­er­al pub­lic: attacks on the dig­i­tal sup­ply chain (DSC).

Instead of tar­get­ing an organ­i­sa­tion through a sin­gle indi­vid­ual, it is now more com­mon to use the organisation’s net­work of part­ners. “It is dif­fi­cult to attack a com­pa­ny like Air­bus head-on, for exam­ple,” explains Badis Ham­mi, cyber­se­cu­ri­ty researcher and lec­tur­er at IP Paris. “But it is pos­si­ble to tar­get a small­er ser­vice provider that is vital to the com­pa­ny, such as Rolls-Royce, which man­u­fac­tures engines for Air­bus air­craft.” These ser­vice com­pa­nies are in fact inte­grat­ed into a dig­i­tal fab­ric that over­laps the clas­sic pro­duc­tion chain (sup­pli­ers, fac­to­ries, dis­trib­u­tors, sell­ers, con­sumers, etc.): this is the famous dig­i­tal sup­ply chain. Ran­somware in one of the links in this chain is enough to paral­yse the multi­na­tion­al that coor­di­nates the whole process. But the dan­ger goes even further.

“In today’s Indus­try 4.0, every­thing is con­nect­ed and can be man­aged remote­ly via the Inter­net. For exam­ple, the robot­ic arms that build cars… This con­sid­er­ably increas­es the poten­tial cyber­at­tack sur­face! One virus on a machine’s soft­ware, and the fac­to­ry comes to a stand­still,” explains the researcher. But what makes this soft­ware so vulnerable?

To under­stand this, we need to go back to com­put­er code. Devel­op­ers fre­quent­ly use pieces of code that are freely avail­able on the Inter­net. “There are open-source libraries where you can import the code, equiv­a­lent to copy and past­ing it,” explains Badis Ham­mi². These “build­ing blocks” are then assem­bled togeth­er to build the plat­form, or the soft­ware adapt­ed to the com­pa­ny. “The great advan­tage of open source is that it can be ver­i­fied by the online com­mu­ni­ty, which is very atten­tive,” the researcher warns. “But this also means that vul­ner­a­bil­i­ties can creep in.”

Vul­ner­a­bil­i­ties or back­doors that allow hack­ers to access the data cir­cu­lat­ing in the soft­ware. This is the night­mare sce­nario expe­ri­enced in 2020 by thou­sands of organ­i­sa­tions around the world, vic­tims of one of the biggest cyber­at­tacks on the soft­ware sup­ply chain: the Solar­Winds attack³. In Sep­tem­ber 2019, hack­ers inject­ed mali­cious code (called Sun­burst) into the Ori­on soft­ware devel­oped by Solar­Winds. Then they patient­ly wait­ed for the Amer­i­can com­pa­ny to offer the Ori­on update to their cus­tomers… unknow­ing­ly con­tain­ing the cor­rupt­ed code. Near­ly 18,000 organ­i­sa­tions world­wide were affect­ed, includ­ing the US fed­er­al gov­ern­ment itself, as Ori­on soft­ware is used in insti­tu­tions such as the Pen­ta­gon, the armed forces, var­i­ous min­istries and the FBI.

This mali­cious code did indeed con­tain a back­door, in direct com­mu­ni­ca­tion with the hack­ers’ servers. “If we use the metaphor of a par­cel, it’s as if the deliv­ery truck had been hijacked or, worse still, the con­tents of the par­cel had been changed into some­thing mali­cious,” explains Roni Car­ta, eth­i­cal hack­er and co-founder of Lupin & Holmes, which offers cyber­se­cu­ri­ty solu­tions for the soft­ware sup­ply chain.

“Where it gets com­plex is that open-source code can use oth­er open source codes. So, you have to imag­ine a spider’s web of pos­si­ble entry points for hack­ers,” adds Roni Car­ta, whose job is essen­tial­ly to detect these flaws before they fall into the wrong hands. “Some­times, hack­ing is sim­ply done by steal­ing access to the devel­op­ers’ own accounts. For exam­ple, those who make their code bricks acces­si­ble in open-source libraries. It hap­pened very recent­ly, and the own­er was warned that his account was vulnerable.”

So how can you pro­tect your­self from attacks? By prac­tis­ing how to thwart them. “Nowa­days, we final­ly teach “eth­i­cal hack­ing”, what is known as the “red team”,” states Badis Ham­mi. “These are “pen­testers”, peo­ple who delib­er­ate­ly car­ry out intru­sions to find flaws in net­works and infra­struc­tures in gen­er­al.” Roni Car­ta is try­ing to auto­mate this work by cre­at­ing Dépi, a soft­ware pro­gramme for detect­ing flaws in the soft­ware sup­ply chain, intend­ed for com­pa­nies. For Badis Ham­mi, it is above all nec­es­sary to keep an eye on things and keep in mind that for every thou­sand lines of code or so, there is a poten­tial flaw. In short, we have not fin­ished devel­op­ing our good cyber­se­cu­ri­ty reflexes.

Sophie Podevin