Attackers no longer need to target your company directly. It is easier to compromise a software or service provider that already has access to your infrastructure. Supply chain attacks have become one of the most devastating and difficult-to-detect threats.
Recent Notable Cases
SolarWinds (2020)
Russian hackers compromised SolarWinds' Orion monitoring software by inserting a backdoor into legitimate updates. More than 18,000 organizations—including U.S. government agencies, Microsoft, and FireEye—installed the compromised version. The attack went undetected for 14 months.
MOVEit (2023)
A zero-day vulnerability in the MOVEit file transfer software affected more than 2,600 organizations and 77 million people. The CL0P group exploited it on a massive scale before a patch was available, extorting victims by threatening to publish their stolen data.
3CX (2023)
The 3CX communications software—used by 600,000 companies and 12 million users—was compromised in a two-step attack: the attackers first compromised a 3CX vendor (Trading Technologies), and from there injected malware into the 3CX installer.
XZ Utils (2024)
A malicious actor gained the trust of the maintainers of the open-source xz-utils project over a period of two years before inserting a backdoor into the compression library used by virtually all Linux servers. It was discovered by chance.
Why are they so effective?
- Implicit trust: Software updates from trusted providers are installed automatically, without prompting
- Scale: A single committed provider can provide access to thousands of customers simultaneously
- Difficult to detect: The malware is digitally signed by the legitimate vendor, allowing it to bypass most security checks
- Persistence: Attackers can maintain access for months or years before being detected
How to Manage Third-Party Risk
- List of Critical Suppliers: Identify all vendors that have access to your systems, data, or network. Classify them by risk level.
- Security due diligence: Require proof of security controls (ISO 27001, SOC 2, penetration testing) before contracting with a critical vendor.
- Behavior monitoring: Use your SOC to monitor third-party software connections and activities within your infrastructure.
- Principle of Least Privilege: Vendors should only have access to the systems that are strictly necessary, and that access should be reviewed periodically.
- Response Plan: Have a specific playbook for supply chain incidents—such as isolating compromised software without shutting down the entire operation.
- Contractual clauses: Include security requirements, a breach notification obligation, and the right to conduct audits in contracts with suppliers.
