Why are cyber attackers targeting supply chains?

Some reflexes are start­ing to kick in. An email offers us a sus­pi­cious link redir­ect­ing us to a page where we have to fill in our login details? We smell the trap of a phish­ing attack, and we don’t click. An SMS to change the deliv­ery address of a par­cel? Deleted before it’s even been read! How­ever, this has not pre­ven­ted the num­ber of phish­ing attacks from trip­ling between 2020 and 2021¹, until the record year of 2023 when the APWG (Anti-Phish­ing Work­ing Group) recor­ded “almost 5 mil­lion attacks”.

How­ever, this is not the most wor­ry­ing aspect. Because while cyber­crim­in­als con­tin­ue to exploit human weak­nesses to gain access to bank accounts or sens­it­ive com­pany data, anoth­er threat is loom­ing in the shad­ows, still largely unknown to the gen­er­al pub­lic: attacks on the digit­al sup­ply chain (DSC).

Instead of tar­get­ing an organ­isa­tion through a single indi­vidu­al, it is now more com­mon to use the organisation’s net­work of part­ners. “It is dif­fi­cult to attack a com­pany like Air­bus head-on, for example,” explains Badis Hammi, cyber­se­cur­ity research­er and lec­turer at IP Par­is. “But it is pos­sible to tar­get a smal­ler ser­vice pro­vider that is vital to the com­pany, such as Rolls-Royce, which man­u­fac­tures engines for Air­bus air­craft.” These ser­vice com­pan­ies are in fact integ­rated into a digit­al fab­ric that over­laps the clas­sic pro­duc­tion chain (sup­pli­ers, factor­ies, dis­trib­ut­ors, sellers, con­sumers, etc.): this is the fam­ous digit­al sup­ply chain. Ransom­ware in one of the links in this chain is enough to para­lyse the mul­tina­tion­al that coordin­ates the whole pro­cess. But the danger goes even further.

“In today’s Industry 4.0, everything is con­nec­ted and can be man­aged remotely via the Inter­net. For example, the robot­ic arms that build cars… This con­sid­er­ably increases the poten­tial cyber­at­tack sur­face! One vir­us on a machine’s soft­ware, and the fact­ory comes to a stand­still,” explains the research­er. But what makes this soft­ware so vulnerable?

To under­stand this, we need to go back to com­puter code. Developers fre­quently use pieces of code that are freely avail­able on the Inter­net. “There are open-source lib­rar­ies where you can import the code, equi­val­ent to copy and past­ing it,” explains Badis Hammi². These “build­ing blocks” are then assembled togeth­er to build the plat­form, or the soft­ware adap­ted to the com­pany. “The great advant­age of open source is that it can be veri­fied by the online com­munity, which is very attent­ive,” the research­er warns. “But this also means that vul­ner­ab­il­it­ies can creep in.”

Vul­ner­ab­il­it­ies or back­doors that allow hack­ers to access the data cir­cu­lat­ing in the soft­ware. This is the night­mare scen­ario exper­i­enced in 2020 by thou­sands of organ­isa­tions around the world, vic­tims of one of the biggest cyber­at­tacks on the soft­ware sup­ply chain: the Sol­ar­Winds attack³. In Septem­ber 2019, hack­ers injec­ted mali­cious code (called Sun­burst) into the Ori­on soft­ware developed by Sol­ar­Winds. Then they patiently waited for the Amer­ic­an com­pany to offer the Ori­on update to their cus­tom­ers… unknow­ingly con­tain­ing the cor­rup­ted code. Nearly 18,000 organ­isa­tions world­wide were affected, includ­ing the US fed­er­al gov­ern­ment itself, as Ori­on soft­ware is used in insti­tu­tions such as the Pentagon, the armed forces, vari­ous min­is­tries and the FBI.

This mali­cious code did indeed con­tain a back­door, in dir­ect com­mu­nic­a­tion with the hack­ers’ serv­ers. “If we use the meta­phor of a par­cel, it’s as if the deliv­ery truck had been hijacked or, worse still, the con­tents of the par­cel had been changed into some­thing mali­cious,” explains Roni Carta, eth­ic­al hack­er and co-founder of Lupin & Holmes, which offers cyber­se­cur­ity solu­tions for the soft­ware sup­ply chain.

“Where it gets com­plex is that open-source code can use oth­er open source codes. So, you have to ima­gine a spider’s web of pos­sible entry points for hack­ers,” adds Roni Carta, whose job is essen­tially to detect these flaws before they fall into the wrong hands. “Some­times, hack­ing is simply done by steal­ing access to the developers’ own accounts. For example, those who make their code bricks access­ible in open-source lib­rar­ies. It happened very recently, and the own­er was warned that his account was vulnerable.”

So how can you pro­tect your­self from attacks? By prac­tising how to thwart them. “Nowadays, we finally teach “eth­ic­al hack­ing”, what is known as the “red team”,” states Badis Hammi. “These are “pen­test­ers”, people who delib­er­ately carry out intru­sions to find flaws in net­works and infra­struc­tures in gen­er­al.” Roni Carta is try­ing to auto­mate this work by cre­at­ing Dépi, a soft­ware pro­gramme for detect­ing flaws in the soft­ware sup­ply chain, inten­ded for com­pan­ies. For Badis Hammi, it is above all neces­sary to keep an eye on things and keep in mind that for every thou­sand lines of code or so, there is a poten­tial flaw. In short, we have not fin­ished devel­op­ing our good cyber­se­cur­ity reflexes.

Sophie Podevin