We’ve talked before about why software supply chains cannot be ignored and shared a primer on supply chains, what software supply chains are, why they can lead to security breaches, and how to safeguard them.

Next up in our software supply chain series, this blog post looks at real-world case studies to highlight the seriousness of software supply chain breaches, the extent of damage they can cause, and why you must take the matter seriously. First, let’s start by quantifying the extent of damage caused by supply chain breaches.

What percentage of breaches start with the software supply chain?

Although it's difficult to pinpoint specific percentages, reports show that software supply chain attacks are on the rise and pose a significant threat to organizations. According to. ReversingLabs' State of Software Supply Chain Security 2024 report, supply chain attacks are only getting easier for bad actors, in part because of the widespread use of open-source libraries. In 2023, ReversingLabs saw a 28% increase from the year before in the total number of malicious packages uploaded to open-source repositories.

The risks of open-source became clear in early 2024 when a Microsoft software engineer spotted the XZ Utils backdoor — a near-miss software supply chain effort that was years in the making.

Revenera also found that supply chain attacks impacted 64% of companies primarily due to increased OSS reliance.

What these numbers tell us is a significant portion of breaches use the software supply chain as an attack surface, emphasizing the importance of securing the supply chain for organizations.

Top 5 supply chain attacks of 2023

There has been a notable surge in supply chain cyber-attacks affecting numerous vendors, underscoring a concerning trend in cybersecurity. These incidents emphasize the critical need for robust security measures to protect against evolving threats in the software supply chain. Let's examine some of the major incidents that occurred in 2023.

1. Okta (October 2023):

Okta, a leading provider of identity and authentication management services, disclosed a significant breach where threat actors gained unauthorized access to private customer data through its support management system. Despite security alerts, the breach went

undetected for weeks, highlighting the vulnerability of widely used services like Okta to third-party supply chain risks. 

2. JetBrains (September/October 2023):

In a concerning development, the SolarWinds hackers exploited a critical vulnerability in JetBrains TeamCity servers, potentially enabling remote code execution and administrative control. This incident underscores the severity of supply chain attacks, as even trusted tools like JetBrains can be compromised, posing significant risks to organizations relying on their software. 

3. MOVEit (June 2023):

The MOVEit Transfer tool, renowned for securely transferring sensitive files, was targeted in a supply chain attack affecting over 620 organizations, including major entities like BBC and British Airways. Linked to the ransomware group Cl0p, this attack underscores the urgency of promptly patching vulnerabilities and securing web-facing applications to mitigate supply chain risks effectively. 

4. 3CX (March 2023):

The desktop apps of 3CX, a widely-used communications software provider, fell victim to a supply chain attack, enabling attackers to execute malicious activities within victims' environments. The fact that the attack was signed with valid 3CX certificates suggests a compromised build environment, highlighting the importance of stringent security measures in software supply chains. 

5. Applied Materials (Feb 2023):

A cyber-attack targeting a business partner of semiconductor giant Applied Materials disrupted shipments, potentially resulting in losses of up to $250 million. This incident underscores the far-reaching consequences of supply chain attacks, impacting critical industries and causing significant financial harm.

Let’s zoom into two of these supply chain attacks. In the chart below, we lay out the method, scope, and impact of these attacks.

Okta and JetBrains attack details

We can extract a lot of lessons-learned from these attacks to help prevent against future ones. Taking a step back, we took a look at the top 10 software supply chain attacks we've seen, each providing valuable insights and lessons to be absorbed.

The top 10 recent attacks on the software supply chain

1. SolarWinds

In December 2020, the network management software company SolarWinds got hacked, resulting in a widespread breach of multiple government agencies and private companies. A total of 18,000 customers and businesses were impacted. The attack was traced back to a malicious software update added to SolarWinds’ Orion software, demonstrating the importance of secure software updates in the supply chain.

2. Equifax

In 2017, Equifax's credit reporting company suffered a massive data breach that affected 147 million customers. The breach was later attributed to a vulnerability in Equifax’s website software caused by a failure to patch a known security issue. This case highlights the importance of proper patch management in the software supply chain.

3. CCleaner

In 2017, the popular system optimization tool CCleaner was compromised and used to distribute malware. The attackers were able to inject malicious code into CCleaner’s software supply chain, demonstrating the importance of secure code signing and verification processes.

4. Apple XCodeGhost

In 2015, hackers targeted Chinese iOS developers by compromising the XCode development tool used to create iOS apps. The attackers added malicious code to the tool, incorporated into several iOS apps on the App Store. This case highlights the importance of secure development tools and the need to thoroughly screen third-party components in the software supply chain.

5. Not Petya

This 2017 malware attack targeted Ukraine's government and infrastructure and spread to other countries via a supply chain attack on the software company MeDoc. It was distributed through an update to MeDoc, a tax accounting program widely used by Ukrainian companies, that released the NotPetya malware. The malware used the EternalBlue exploit.

6. TSMC Taiwanese chip manufacturer

In 2018, the malware was spread through the company's software update system. The virus was injected into TSMC's systems when a supplier installed infected software onto some of its machines without running an antivirus scan. The attack affected over 10,000 devices in some of TSMC’s most advanced facilities.

7. Panasonic

In November 2021, this breach was disclosed, representing a unique supply chain attack compromising data that businesses share as part of supply chain operations due to a third party's illegal access to Panasonic servers.

8. Wipro

Targeting Indian IT services provider Wipro, in this 2020 attack hackers used a supply chain attack to gain access to the company's network and steal sensitive client data. In this case, attackers used Wipro’s systems to launch phishing attacks against customers. Phishing exploits made Wipro a platform to attack some customers and highlight third-party risks from service providers.

9. Codecov

In this 2020 attack on the US-based software company Codecov, hackers were able to gain access to the company's software development tools and potentially steal sensitive data from its clients. The attackers exploited an error in how Codecov created docker images. This process allowed the attackers to extract a credential from the Docker image.

10. Dragonfly 2.0 attack 

In 2014, this highly sophisticated cyber espionage campaign used compromised software updates to gain access to energy sector organizations in the US and Europe.

We’ve listed ten attacks but we could go on — no one is going to forget the anytime soon. Each of these cases demonstrate the critical importance of secure software supply chain practices and the dire real-world consequences of supply chain attacks. Let’s unpack some of these breaches and understand the source of the breach and how we can mitigate them.

Supply chain attacks unpacked

The method, scope, and impact of the SolarWinds attack

The SolarWinds supply chain attack in 2020 occurred due to a sophisticated hacking operation that injected malicious code into SolarWinds' software development process, specifically the Orion software updates. The attackers could infiltrate SolarWinds' build systems and insert malware, which spread among customers as part of legitimate software updates.

Due to the malicious code inserted during the build process of the software update, even though it was delivered to customers via secure signing and verification checks, since the malicious

injection occurred early in the chain, signing and validating software downloads couldn't catch it either.

It was one of the most massive supply chain attacks that started in 2018, and it took almost 15 months to discover the breach. The attack allowed the attackers to access sensitive data and systems of numerous organizations that used SolarWinds' Orion platform.

The method, scope, and impact of the Equifax breach

Attackers could exploit this vulnerability because Equifax had failed to patch the affected software, even though a patch had been available for several months before the breach occurred. The attackers could then move laterally through Equifax's network and exfiltrate sensitive data belonging to approximately 147 million individuals. As a result, the primary cause of Equifax's supply chain breach was inadequately managing the security of third-party software components combined with a failure to apply critical security patches promptly.

Diversity in supply chain attacks

Though similar, the SolarWinds and Equifax supply chain attacks are different in several ways. Just by contrasting these two, we can be mindful of the diversity in attack patterns.

Demonstration of diversity in supply chain attacks

Attacks of this nature are just the tip of the iceberg. In addition to highlighting the different types of supply chain attacks and a broad spectrum of impacts, they emphasize the need for organizations to maintain robust security measures continuously throughout the software development and distribution processes.

Defense strategies: Prioritizing supply chain cyber security

Organizations must jump on certain software supply chain practices to avoid similar future attacks, including implementing code signing and verification processes, conducting regular security assessments of third-party components, and implementing proper upgrade procedures enabling security practices throughout the software development life cycle. Additionally, organizations should monitor their software supply chain for signs of compromise and have incident response and remediation plans to address any security issues quickly.

Security tools that can help identify security flaws in the software components found in an organization's applications and infrastructure are a must. Organizations can mitigate attacks akin to SolarWinds by using tools to continuously scan software components at all deployment phases, both pre- and post-deployment, to detect and address vulnerabilities exploited in the supply chain attack.

Rescue tools: Visibility into potential supply chain vulnerabilities

Using tools like KubeClarity can help organizations stay updated on the latest security patches and advisories for their deployed components, allowing them to take proactive steps to mitigate potential risks.

As an example, KubeClarity's dashboard is a handy tool to visualize vulnerabilities and other security risks in your software supply chain. Below is an example of vulnerabilities reported by KubeClarity identifying CVEs, short for Common Vulnerabilities and Exposures. It is a list of publicly disclosed computer security flaws in specific libraries and application resources.

While the vulnerabilities reported here in a sample application are not the exact ones that affected Equifax CVE-2017-5638 or SolarWinds CVE-2023-23836, the report can give you an idea of what it can do for your software supply chain security by providing visibility into potential vulnerabilities and spotlighting high severity ones that you want to get fixed right away. In the subsequent blog series, we will learn more about CVEs and how to interpret them.

KubeClarity generates this list of vulnerabilities in container images and filesystems by parsing the Software Bill of Materials (SBOM) and feeding the SBOM document to specialized vulnerability scanners to generate a granular list of CVEs, as you see above. If you want to further understand SBOMs and their significance in vulnerability detection, you are on track; it is coming next.

Next up: Digging into SBOMs

Let's double-click on SBOMs and learn what they are and why they are pivotal in building secure software supply chains.

Pallavi Kalapatapu is an Engineering Director and open source advocate in Cisco’s Emerging Technology & Incubation organization, now Outshift by Cisco.