The Kaseya cyberattack disrupted more than 1,000 businesses over the Fourth of July weekend and may turn out to be one of the biggest hacks in history. It’s also a textbook example of a “supply chain” hack: a type of cyberattack where criminals target software vendors or IT services companies in order to infect their clients.
Supply chain attacks are a looming cyber threat with the potential to greatly magnify the damage of a single security breach. They’ve been responsible for some of the biggest cyberattacks of the past year, including the Kaseya breach and the SolarWinds attack.
As cybercriminals continue to shut down major companies and key pieces of public infrastructure seeking ransoms, supply chain hacks promise to spread the pain of digital disruptions by extracting collective ransoms from small- and medium-sized businesses that otherwise wouldn’t appear to be promising extortion targets.
In a typical hack, cyber criminals pick one company to target and find a unique way to break into that particular victim’s computer network. But during a supply chain attack, hackers infiltrate a trusted company that supplies software or IT services to many other firms. Their goal is to slip malware into the “supply chain” of software updates the company installs on its customers’ computers. Given IT management firms’ virtually unlimited access to their customers’ computer systems, a virus can be installed undetected on thousands of computers at once.
Supply chain hacks target businesses indiscriminately; anyone who uses software from an infected vendor can get swept up in the attack. This raises the risks for small- and medium-sized businesses that would normally escape cybercriminals’ notice. With the Kaseya attack, hackers appear to be testing their ability to extort a large collective ransom by hacking hundreds of small businesses.
Several of the most notable hacks during the pandemic have been supply chain attacks.
On July 2, hackers breached Kaseya, a Miami, Florida-based software company. Kaseya sells IT management software—tools for monitoring and controlling what happens on a computer network—to thousands of so-called “managed service providers,” which in turn sell their IT and cybersecurity services to hundreds of thousands of small- and medium-sized businesses. After breaking into Kaseya, the hackers infected about 50 managed service providers, and from there they jumped into the systems of as many as 1,500 of their clients. The hackers encrypted the victims’ data, effectively shutting down their computer networks. They’re now demanding a $50 million ransom for a key that will unlock all the victims’ networks.
Last year, Russian government-backed hackers slipped their way into the network of SolarWinds, an IT company that sells a piece of software that helps businesses monitor their computer networks. In March 2020, they slipped a virus into a routine software update that allowed them to monitor and control the computer networks of 100 private companies and nine US government agencies. The hackers didn’t demand a ransom; instead, they appear to be exploiting the vulnerability to this day for espionage.
In June, the same hackers behind SolarWinds appear to have breached a small corner of Microsoft’s software empire in an attempt to infect its clients. The attack failed to reach Microsoft’s customers, but it underscored the ongoing threat of supply chain attacks—even at one of the world’s largest and most heavily fortified software vendors.
Supply chain attacks are hard to defend against because they use software updates from trusted vendors as Trojan horses. Businesses always have to be wary of viruses that come from employees opening nefarious email attachments, unwittingly giving their login credentials to criminals, or plugging an infected USB drive into a company computer. Now they must also guard against viruses delivered as legitimate software updates from their own business partners.
Cybersecurity experts recommend three main steps for businesses that want to reduce their risk of being hit with a supply chain hack. First, companies should take stock of all the external software and IT service vendors they rely on to keep their business running. If it’s a long list, companies may want to consider reducing the number of vendors they use; the more vendors a business relies on, the greater the risk that one of them will get hacked and expose the business to an attack.
Second, businesses should do their due diligence (PDF) to make sure their software vendors are taking adequate steps to defend themselves against hackers. “We’re more and more reliant on internet-connected management tools,” said David White, president of the cybersecurity firm Axio. “These tools have tremendous power and rights inside our network. Are we sure they’re sufficiently protected themselves?”
Finally, companies may want to change their approach to installing software patches from their IT providers. “The advice has always been patch, patch, patch, patch, patch. Do it automatically, do it as fast as you can, because we wanted a vehicle for resolving known security vulnerabilities as fast as we could,” said Axio chief product officer Dale Gonzalez.
In some cases, he said, software updates coming from trusted IT providers are even exempted from standard antivirus protections in order to get them installed as quickly and seamlessly as possible. But given the rise of supply chain hacks, Gonzalez said, companies may want to treat software updates with more scrutiny—for example, by subjecting them to robust antivirus scans or testing them out on isolated servers before installing them on the rest of the network.