Supply chain attack

Last updated

A basic diagram of a supply chain network, which shows how goods are moved from the raw materials stage to being acquired by the end consumer Supply chain network.png
A basic diagram of a supply chain network, which shows how goods are moved from the raw materials stage to being acquired by the end consumer

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. [1] A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. [2] A supply chain attack can happen in software or hardware. [3] Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. [4] Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018. [5]

Contents

A supply chain is a system of activities involved in handling, distributing, manufacturing, and processing goods in order to move resources from a vendor into the hands of the final consumer. A supply chain is a complex network of interconnected players governed by supply and demand. [6]

Although supply chain attack is a broad term without a universally agreed upon definition, [7] [8] in reference to cyber-security, a supply chain attack can involve physically tampering with electronics (computers, ATMs, power systems, factory data networks) in order to install undetectable malware for the purpose of bringing harm to a player further down the supply chain network. [2] [4] [9] Alternatively, the term can be used to describe attacks exploiting the software supply chain, in which an apparently low-level or unimportant software component used by other software can be used to inject malicious code into the larger software that depends on the component. [10]

In a more general sense, a supply chain attack may not necessarily involve electronics. In 2010 when burglars gained access to the pharmaceutical giant Eli Lilly's supply warehouse, by drilling a hole in the roof and loading $80 million worth of prescription drugs into a truck, they could also have been said to carry out a supply chain attack. [11] [12] However, this article will discuss cyber attacks on physical supply networks that rely on technology; hence, a supply chain attack is a method used by cyber-criminals. [13]

Attack framework

Generally, supply chain attacks on information systems begin with an advanced persistent threat (APT) [14] that determines a member of the supply network with the weakest cyber security in order to affect the target organization. [13] Hackers don’t usually directly target a larger entity, such as the United States Government, but instead target the entity's software. The third-party software is often less protected, leading to an easier target. [15] According to an investigation produced by Verizon Enterprise, 92% of the cyber security incidents analyzed in their survey occurred among small firms. [16] Supply chain networks are considered to be particularly vulnerable due to their multiple interconnected components. [15]

APT's can often gain access to sensitive information by physically tampering with the production of the product. [17] In October 2008, European law-enforcement officials "uncovered a highly sophisticated credit-card fraud ring" that stole customer's account details by using untraceable devices inserted into credit-card readers made in China to gain access to account information and make repeated bank withdrawals and Internet purchases, amounting to an estimated $100 million in losses. [18]

Risks

The threat of a supply chain attack poses a significant risk to modern day organizations and attacks are not solely limited to the information technology sector; supply chain attacks affect the oil industry, large retailers, the pharmaceutical sector and virtually any industry with a complex supply network. [2] [9]

The Information Security Forum explains that the risk derived from supply chain attacks is due to information sharing with suppliers, it states that "sharing information with suppliers is essential for the supply chain to function, yet it also creates risk... information compromised in the supply chain can be just as damaging as that compromised from within the organization". [19]

While Muhammad Ali Nasir of the National University of Emerging Sciences, associates the above-mentioned risk with the wider trend of globalization stating "…due to globalization, decentralization, and outsourcing of supply chains, numbers of exposure points have also increased because of the greater number of entities involved and that too are scattered all around the globe… [a] cyber-attack on [a] supply chain is the most destructive way to damage many linked entities at once due to its ripple effect." [20]

Poorly managed supply chain management systems can become significant hazards for cyber attacks, which can lead to a loss of sensitive customer information, disruption of the manufacturing process, and could damage a company's reputation. [21]

Examples

Compiler attacks

Wired reported a connecting thread in recent software supply chain attacks, as of 3 May 2019. [22] These have been surmised to have spread from infected, pirated, popular compilers posted on pirate websites. That is, corrupted versions of Apple's XCode and Microsoft Visual Studio. [23] (In theory, alternating compilers [24] might detect compiler attacks, when the compiler is the trusted root.)

Target

An image of a Target brick-and-mortar store, where a supply chain attack exposed the financial information of 40 million customers between 27 November and 15 December 2013 Target Westminster, MD (7505810590).jpg
An image of a Target brick-and-mortar store, where a supply chain attack exposed the financial information of 40 million customers between 27 November and 15 December 2013

At the end of 2013, Target, a US retailer, was hit by one of the largest data breaches in the history of the retail industry. [25]

Between 27 November and 15 December 2013, Target's American brick-and-mortar stores experienced a data hack. Around 40 million customers' credit and debit cards became susceptible to fraud after malware was introduced into the POS system in over 1,800 stores. [25] The data breach of Target's customer information saw a direct impact on the company's profit, which fell 46 percent in the fourth quarter of 2013. [26]

Six months prior the company began installing a $1.6 million cyber security system. Target had a team of security specialists to monitor its computers constantly. Nonetheless, the supply chain attack circumvented these security measures. [27]

It is believed that cyber criminals infiltrated a third party supplier to gain access to Target's main data network. [28] Although not officially confirmed, [29] investigation officials suspect that the hackers first broke into Target's network on 15 November 2013 using passcode credentials stolen from Fazio Mechanical Services, a Pennsylvania-based provider of HVAC systems. [30]

Ninety lawsuits have been filed against Target by customers for carelessness and compensatory damages. Target spent around $61 million responding to the breach, according to its fourth-quarter report to investors. [31]

Stuxnet

Model of the Bushehr Nuclear Power Plant - in the Iranian pavilion of EXPO 2010 Shanghai Iran NPP CIMG2451 m1.jpg
Model of the Bushehr Nuclear Power Plant in the Iranian pavilion of EXPO 2010 Shanghai

Believed to be an American-Israeli cyber weapon, Stuxnet is a malicious computer worm. [32] The worm specifically targets systems that automate electromechanical processes used to control machinery on factory assembly lines or equipment for separating nuclear material.

The computer worm is said to have been specifically developed in order to damage potential uranium enrichment programs by the Government of Iran; Kevin Hogan, Senior Director of Security Response at Symantec, reported that the majority of infected systems by the Stuxnet worm were located in the Islamic Republic of Iran, [33] which has led to speculation that it may have been deliberately targeting "high-value infrastructure" in the country [34] including either the Bushehr Nuclear Power Plant or the Natanz nuclear power plant. [35]

Stuxnet is typically introduced into the supply network via an infected USB flash drive with persons with physical access to the system. The worm then travels across the cyber network, scanning software on computers controlling a programmable logic controller (PLC). Stuxnet introduces the infected rootkit onto the PLC modifying the codes and giving unexpected commands to the PLC while returning a loop of normal operation value feedback to the users. [36]

ATM malware

In recent years malware known as Suceful, Plotus, Tyupkin and GreenDispenser have affected automated teller machines globally, especially in Russia and Ukraine. [37] GreenDispenser specifically gives attackers the ability to walk up to an infected ATM system and remove its cash vault. When installed, GreenDispenser may display an ‘out of service’ message on the ATM, but attackers with the right access credentials can drain the ATM's cash vault and remove the malware from the system using an untraceable delete process. [38]

The other types of malware usually behave in a similar fashion, capturing magnetic stripe data from the machine's memory storage and instructing the machines to withdraw cash. The attacks require a person with insider access, such as an ATM technician or anyone else with a key to the machine, to place the malware on the ATM. [39]

The Tyupkin malware active in March 2014 on more than 50 ATMs at banking institutions in Eastern Europe, is believed to have also spread at the time to the U.S., India, and China. The malware affects ATMs from major manufacturers running Microsoft Windows 32-bit operating systems. The malware displays information on how much money is available in every machine and allows an attacker to withdraw 40 notes from the selected cassette of each ATM. [40]

NotPetya / M.E.Doc

During the spring of 2017, the core code of the financial package "M.E.Doc" used in Ukraine was infected with the NotPetya virus and subsequently downloaded by subscribers. The hack was carried out on the provider's system: either hacking the code itself at the provider, or a hack re-routing download requests to another server. Press reports at the time make it clear this was a supply chain attack, but the attack vector used is not specified. [41]

NotPetya is classified as a ransomware attack because it encrypted the hard-drives of affected computers and then demanded bitcoin payments in order to retrieve stolen files. [42] The attack affected numerous industries across Ukraine including banks, an airport, and Chernobyl radiation detection systems. The malware also affected over 2000 companies in multiple countries including Russia, India, and The United States. [43]

The spread of Notpetya was facilitated by using the same "exploit method" as the United States National Security Agency’s exploit called EternalBlue, which was the same method used in the WannaCry cyberattack in May of 2017. This method granted NotPetya the ability to proliferate through the Windows Server Message Block (SMB). The malware also exploited Microsoft’s PsExec tool as well as the Windows Management Instrumentation (WMI) tool. On account of these exploitations, if the malware affected one device on a network, it could then easily and rapidly spread to any other devices on the same network. [43]

Police said that M.E.Doc could ultimately be held criminally responsible due to their negligence in acknowledging repeated messages regarding the status of their cybersecurity infrastructure. [44]

British Airways

From August 21st until September 5th in 2018 British Airways was under attack. The British Airways website payment section contained a code that harvested customer payment data. The injected code was written specifically to route credit card information to a domain baways.com, which could erroneously be thought to belong to British Airways. [45]

Magecart is the entity believed to be behind the attack. Magecart is a name attributed to multiple hacker groups that use skimming practices in order to steal customer information through online payment processes. [46] Approximately 380,000 customers had their personal and financial data compromised as a result of the attack. British Airways later reported in October, 2018 that an additional 185,000 customers may have had their personal information stolen as well. [47]

SolarWinds

The 2020 Global Supply Chain Cyberattack is believed to have resulted through a supply chain attack targeting the IT infrastructure company SolarWinds, which counts many federal institutions among its clients, [48] [49] including the business computers of the National Nuclear Security Administration (NNSA). [50] Russian hackers targeted a piece software by SolarWinds called Orion, which several government agencies used to monitor their IT performance. [51] A statement released by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA), stated that the SolarWinds attack affected about ten government agencies. [52]

The Department of Homeland Security has issued Emergency Directive 21-01, "Mitigate SolarWinds Orion Code Compromise" which involves disconnecting any afflicted Windows host OS from its enterprise domain, and rebuilding those Windows hosts using trusted sources. [53] The afflicted Windows operating system (OS) hosts were those monitored by the SolarWinds Orion monitoring software. [53] DOE's NNSA has since disconnected the breached Windows hosts. [54]

In addition to the U.S. federal government, 18,000 out of SolarWinds' 33,000 customers who use the SolarWinds Orion software update platform are vulnerable. Orion was compromised in March and June 2020, before the cyber breach was detected by FireEye in December 2020. For example, Microsoft was itself a victim of the update software breach. [55] [56] Microsoft is now working[ needs update? ] with FireEye to contain the ongoing cyber attack contained in supply chain software used by "government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East" —FireEye. [55]

Volexity, a cybersecurity firm, has reconstructed the attack sequence on an unnamed US think tank: first, the attacker exploited a remote code execution vulnerability in an on-premise Microsoft Exchange server; [57] after that vulnerability was remedied, the attacker exploited security holes in the SolarWinds Orion platform, which were exposed in December 2020; third, the think tank's Duo two-factor authentication proxy server was exploited to gain access to breach the infrastructure of the think tank yet again. [57] [58] Based on Volexity's reconstruction, Breaking Defense has published a simplified kill chain explaining the Exchange Server attack on an estimated 30,000 customers worldwide. [59] [60] In July 2021 SolarWinds announced it was attacked yet again. [61]

Microsoft Exchange Server

In February 2021 Microsoft determined that the attackers had downloaded a few files "(subsets of service, security, identity)" apiece from [62]

None of the Microsoft repositories contained production credentials. [62] The repositories were secured in December, and those attacks ceased in January. [62] However, in March 2021 more than 20,000 US organizations were compromised through a back door that was installed via flaws in Exchange Server. [63] The affected organizations use self-hosted e-mail (on-site rather than cloud-based) such as credit unions, town governments, and small businesses. The flaws were patched on 2 March 2021, but by 5 March 2021 only 10% of the compromised organizations had implemented the patch; the back door remains open. [64] The US officials are attempting to notify the affected organizations which are smaller than the organizations that were affected in December 2020. [65]

Microsoft has updated its Indicators of Compromise tool and has released emergency mitigation measures for its Exchange Server flaws. [59] The attacks on SolarWinds and Microsoft software are currently thought to be independent, as of March 2021. [59] The Indicators of Compromise tool allows customers to scan their Exchange Server log files for compromise. [59] [66] [67] At least 10 attacking groups are using the Exchange Server flaws. [68] [69] [1] Web shells can remain on a patched server; this still allows cyberattacks based on the affected servers. [70] As of 12 March 2021 exploit attempts are doubling every few hours, according to Check Point Research, [71] some in the name of security researchers themselves. [72]

By 14 April 2021 the FBI had completed a covert cyber operation to remove the web shells from afflicted servers and was informing the servers' owners of what had been done. [73]

In May 2021 Microsoft identified 3000 malicious emails to 150 organizations in 24 countries, that were launched by a group that Microsoft has denoted 'Nobelium'. Many of those emails were blocked before delivery. 'Nobelium' gained access to a Constant Contact "email marketing account used by the US Agency for International Development (USAID)". [74] Security researchers assert that 'Nobelium' crafts spear-phishing email messages which get clicked on by unsuspecting users; the links then direct installation of malicious 'Nobelium' code to infect the users' systems, making them subject to ransom, espionage, disinformation, etc. [75] The US government has identified 'Nobelium' as stemming from Russia's Federal Security Service. [76] By July 2021 the US government is expected to name the initiator of the Exchange Server attacks: [77] "China’s Ministry of State Security has been using criminal contract hackers". [78] [79]

In September 2021 the Securities and Exchange Commission (SEC) enforcement staff have requested that any companies which have downloaded any compromised SolarWinds updates, voluntarily turn over data to the SEC if they have installed the compromised updates on their servers. [80]

In July 2022 SessionManager, a malicious module hosted by IIS (installed by default on Exchange Servers), was discovered to have infected Exchange Servers since March 2021; SessionManager searches memory for passwords, and downloads new modules, to hijack the server. [81]

Golden SAML

Mandiant, a security firm, has shown that nation-state-sponsored groups, once they have gained access to corporate clouds, can now exploit Security assertion markup language (SAML), to gain federated authentication to Active Directory and similar services, at will. [a] Once the attackers gain access, they are able to infiltrate any information or assets belonging to the organization. This is because this technique allows attackers to pose as any member of the targeted organization. [83] These attacks are progressively becoming more desirable to malicious actors as companies and agencies continue to move assets to cloud services. [84]

In 2020, SolarWinds was subject to what is described as the first documented Golden SAML attack, often referred to as "Solorigate". A malicious actor infected the source code of a software update with a backdoor code made to look legitimate. [85] Customers began installing the faulty update to their systems, ultimately affecting over 18,000 individuals globally. [83] The attack affected a number of United States government agencies and private sector agencies as well. [84]

Ransomware attacks

In May 2021 A ransomware attack on the Colonial pipeline exposed the vulnerability of the US's gasoline supply on the East coast. [86] [87] [88] [89] [90] On 16 June 2021, President Biden warned President Putin that 16 types of infrastructure were to be off-limits to cyberattack, or else Russia would suffer in kind. [91] A combination of supply-chain attack and ransomware attack surfaced on 2 July 2021 at thousands of companies [91] in 17 countries. [92] An REvil ransomware code is written to avoid hitting sites that use Russian. [93] The REvil site is now offline according to The New York Times. [61]

3CX attack

In March, 2023, the voice and video chat app 3CX Phone System was thought to have been subject to a supply chain attack due to detection of malicious activity on the software. The app is used in a wide variety of industries from food to automotive and an attack has the potential to impact hundreds of thousands of users worldwide. [94] The malware infects the host device through the installation process, acting as a Trojan horse virus spread through both Mac OS and Microsoft installers. They employed an infostealer through a malicious payload that connected to a C2 server controlled by the threat actor. [95]

The attack utilized the Gopuram backdoor, originally discovered by the Russian cybersecurity company Kaspersky in 2020. The use of this backdoor suggested that the attack was executed by the North Korean cybercrime group known as Lazarus due to their use of this same backdoor in a 2020 attack against a South Asian cryptocurrency company. [95] The Gopuram backdoor has been utilized in other past attacks against cryptocurrency agencies, which Lazarus has been known to target. [94]

United States Department of State attack

In July 2023, Chinese state-sponsored hackers targeted the United States Department of State, hacking several government employees' Microsoft email accounts, which gave them access to classified information. They stole information from about 60,000 emails from several Department of State employees. [96] Department of State officials have stated that the information stolen includes “victims’ travel itineraries and diplomatic deliberations”. [97] If used in a malicious manner, this information could be used to monitor important government officials and track United States communications that are meant to be confidential. The Department of State hack occurred due to vulnerabilities in Microsoft Exchange Server, classifying it as a supply-chain attack. [96]

XZ Utils backdoor

In March 2024, a backdoor in xz/liblzma in XZ Utils was suspected, [98] with malicious code known to be in version 5.6.0 and 5.6.1. While the exploit remained dormant unless a specific third-party patch of the SSH server is used, under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely. [99]

The list of affected Linux distributions includes Debian unstable, [100] Fedora Rawhide, [101] Kali Linux, [102] and OpenSUSE Tumbleweed. [103] Most Linux distributions that followed a stable release update model were not affected, since they were carrying older versions of xz. [104] Arch Linux issued an advisory for users to update immediately, although it also noted that Arch's OpenSSH package does not include the common third-party patch necessary for the backdoor. [105] FreeBSD is not affected by this attack, as all supported FreeBSD releases include versions of xz that predate the affected releases and the attack targets Linux's glibc. [106]

Prevention

On 12 May 2021, Executive order 14028 (the EO), Improving the nation's cybersecurity, tasked NIST as well as other US government agencies with enhancing the cybersecurity of the United States. [107] On 11 July 2021 (day 60 of the EO timeline) NIST, in consultation with the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB), delivered '4i': guidance for users of critical software, as well as '4r': for minimum vendor testing of the security and integrity of the software supply chain. [107]

Government

The Comprehensive National Cybersecurity Initiative and the Cyberspace Policy Review passed by the Bush and Obama administrations respectively, direct U.S. federal funding for development of multi-pronged approaches for global supply chain risk management. [110] [111] According to Adrian Davis of the Technology Innovation Management Review, securing organizations from supply chain attacks begins with building cyber-resilient systems. [112] Supply chain resilience is, according to supply chain risk management expert Donal Walters, "the ability of the supply chain to cope with unexpected disturbances" and one of its characteristics is a company-wide recognition of where the supply chain is most susceptible to infiltration. Supply chain management plays a crucial role in creating effective supply chain resilience. [113]

In March 2015, under the Conservative and Liberal democratic government coalition, the UK Department for Business outlined new efforts to protect SMEs from cyber attacks, which included measures to improve supply chain resilience. [114]

The UK government has produced the Cyber Essentials Scheme, which trains firms for good practices to protect their supply chain and overall cyber security. [115] [116]

Financial institutions

The Depository Trust and Clearing Group, an American post-trade company, in its operations has implemented governance for vulnerability management throughout its supply chain and looks at IT security along the entire development lifecycle; this includes where software was coded and hardware manufactured. [117]

In a 2014 PwC report, titled "Threat Smart: Building a Cyber Resilient Financial Institution", the financial services firm recommends the following approach to mitigating a cyber attack:

"To avoid potential damage to a financial institution’s bottom line, reputation, brand, and intellectual property, the executive team needs to take ownership of cyber risk. Specifically, they should collaborate up front to understand how the institution will defend against and respond to cyber risks, and what it will take to make their organization cyber resilient. [118]

Cyber security firms

FireEye, a US network security company that provides automated threat forensics and dynamic malware protection against advanced cyber threats, such as advanced persistent threats and spear phishing, [119] recommends firms to have certain principles in place to create resilience in their supply chain, which includes having: [120]

On 27 April 2015, Sergey Lozhkin, a Senior Security Researcher with GReAT at Kaspersky Lab, spoke about the importance of managing risk from targeted attacks and cyber-espionage campaigns, during a conference on cyber security he stated:

"Mitigation strategies for advanced threats should include security policies and education, network security, comprehensive system administration and specialized security solutions, like... software patching features, application control, whitelisting and a default deny mode." [122]

See also

Notes

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security is the protection of computer software, systems and networks from threats that can lead to unauthorized information disclosure, theft or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

An exploit is a method or piece of code that takes advantage of vulnerabilities in software, applications, networks, operating systems, or hardware, typically for malicious purposes. The term "exploit" derives from the English verb "to exploit," meaning "to use something to one’s own advantage." Exploits are designed to identify flaws, bypass security measures, gain unauthorized access to systems, take control of systems, install malware, or steal sensitive data. While an exploit by itself may not be a malware, it serves as a vehicle for delivering malicious software by breaching security controls.

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

<span class="mw-page-title-main">ESET</span> Slovak internet security company

ESET, s.r.o., is a software company specializing in cybersecurity. ESET's security products are made in Europe and provides security software in over 200 countries and territories worldwide. Its software is localized into more than 30 languages.

A zero-day is a vulnerability in software or hardware that is typically unknown to the vendor and for which no patch or other fix is available. The vendor has zero days to prepare a patch as the vulnerability has already been described or exploited.

SolarWinds Corporation is an American company that develops software for businesses to help manage their networks, systems, and information technology infrastructure. It is headquartered in Austin, Texas, with sales and product development offices in a number of locations in the United States and several other countries. The company was publicly traded from May 2009 until the end of 2015, and again from October 2018. It has also acquired a number of other companies, some of which it still operates under their original names, including Pingdom, Papertrail, and Loggly. It had about 300,000 customers as of December 2020, including nearly all Fortune 500 companies and numerous agencies of the US federal government.

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

<span class="mw-page-title-main">Mimecast</span> Information technology company

Mimecast Limited is an American–British, Jersey-domiciled company specializing in cloud-based email management for Google Workspace, Microsoft Exchange and Microsoft Office 365, including security, archiving, and continuity services to protect business mail.

A cyberattack occurs when there is an unauthorized action against computer infrastructure that compromises the confidentiality, integrity, or availability of its content.

Cozy Bear is a Russian advanced persistent threat hacker group believed to be associated with Russian foreign intelligence by United States intelligence agencies and those of allied countries. Dutch signals intelligence (AIVD) and American intelligence had been monitoring the group since 2014 and was able to link the hacker group to the Russian foreign intelligence agency (SVR) after compromising security cameras in their office. CrowdStrike and Estonian intelligence reported a tentative link to the Russian domestic/foreign intelligence agency (FSB). Various groups designate it CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452 with a tentative connection to Russian hacker group YTTRIUM. Symantec reported that Cozy Bear had been compromising diplomatic organizations and national governments since at least 2010. Der Spiegel published documents in 2023 purporting to link Russian IT firm NTC Vulkan to Cozy Bear operations.

The Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them since 2010. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

Deception technology is a category of cyber security defense mechanisms that provide early warning of potential cyber security attacks and alert organizations of unauthorized activity. Deception technology products can detect, analyze, and defend against zero-day and advanced attacks, often in real time. They are automated, accurate, and provide insight into malicious activity within internal networks which may be unseen by other types of cyber defense. Deception technology seeks to deceive an attacker, detect them, and then defeat them.

A medical device hijack is a type of cyber attack. The weakness they target are the medical devices of a hospital. This was covered extensively in the press in 2015 and in 2016.

<span class="mw-page-title-main">2017 Ukraine ransomware attacks</span> Series of powerful cyberattacks using the Petya malware

A series of powerful cyberattacks using the Petya malware began on 27 June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity firms. Similar infections were reported in France, Germany, Italy, Poland, Russia, United Kingdom, the United States and Australia. ESET estimated on 28 June 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%. On 28 June 2017, the Ukrainian government stated that the attack was halted. On 30 June 2017, the Associated Press reported experts agreed that Petya was masquerading as ransomware, while it was actually designed to cause maximum damage, with Ukraine being the main target.

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian or Ukrainian, who target organizations rather than individual consumers.

<span class="mw-page-title-main">2020 United States federal government data breach</span> US federal government data breach

In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.

Emsisoft Ltd. is a New Zealand-based anti-virus software distributed company. They are notable for decrypting ransomware attacks to restore data.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

Hafnium is a cyber espionage group, sometimes known as an advanced persistent threat, with alleged ties to the Chinese government. Hafnium is closely connected to APT40.

References

  1. 1 2 Maria Kotolov (4 Feb 2021) Supply chain attacks show why you should be wary of third-party providers
  2. 1 2 3 "Next Generation Cyber Attacks Target Oil And Gas SCADA | Pipeline & Gas Journal". www.pipelineandgasjournal.com. Archived from the original on 9 February 2015. Retrieved 27 October 2015.
  3. "Supply chain attacks". docs.microsoft.com. Retrieved 10 April 2022.
  4. 1 2 "New malware hits ATM and electronic ticketing machines". SC Magazine UK. Retrieved 29 October 2015.
  5. "2019 Internet Security Threat Report Executive Summary". Broadcom. Retrieved 23 November 2021.
  6. "Supply Chain Definition | Investopedia". Investopedia. Retrieved 4 November 2015.
  7. Supply chain, cyber security and geo-political issues pose the greatest risks, as risk goes up in importance and profile say risk managers at sword active risk conference. (28 July 2015). M2 Presswire Retrieved on 2015-11-4
  8. Napolitano, J. (6 January 2011). How to secure the global supply chain. Wall Street Journal Retrieved on 2015-11-4
  9. 1 2 Kuchler, Hannah (28 May 2014). "Cyber attackers 'target healthcare and pharma companies'". Financial Times. ISSN   0307-1766 . Retrieved 27 October 2015.
  10. Goodin, Dan (24 June 2024). "Backdoor slipped into multiple WordPress plugins in ongoing supply-chain attack". Ars Technica. Retrieved 25 June 2024.
  11. "Drug theft goes big". Fortune. Retrieved 4 November 2015.
  12. "Solving the Eli Lilly Drug Theft". www.securitymagazine.com. Retrieved 4 November 2015.
  13. 1 2 CERT-UK (2015). "Cyber-security risks in the supply chain" (PDF). Archived from the original (PDF) on 18 February 2015. Retrieved 27 October 2015.
  14. BRAD D. WILLIAMS (July 01, 2021) US-UK Warn Of New Worldwide Russian Cyberespionage Context for some threat naming schemas: APT, GRU, Fancy bear, SVR, etc.
  15. 1 2 "Software Supply Chain Attacks, a Threat to Global Cybersecurity: SolarWinds' Case Study | IIETA". www.iieta.org. doi:10.18280/ijsse.110505 . Retrieved 2 December 2024.
  16. "2014 Data Breach Investigations Report" (PDF). Verizon Enterprise. 2014. Retrieved 27 October 2015.
  17. Modine, Austin (10 October 2008). "Organized crime tampers with European card swipe devices". The Register . Retrieved 27 October 2015.
  18. Gorman, Siobhan. "Fraud Ring Funnels Data From Cards to Pakistan". Wall Street Journal. ISSN   0099-9660 . Retrieved 27 October 2015.
  19. "Security Form" (PDF).
  20. Nasir, Muhammad Ali (June 2015). "Potential cyber-attacks against global oil supply chain". 2015 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA). pp. 1–7. CiteSeerX   10.1.1.695.1707 . doi:10.1109/CyberSA.2015.7166137. ISBN   978-0-9932-3380-7. S2CID   18999955.{{cite book}}: |journal= ignored (help)
  21. Urciuoli, Luca (April 2015). "Cyber-Resilience: A Strategic Approach for Supply Chain Management". Talent First Network. ProQuest   1676101578.
  22. Greenberg, Andy (3 May 2019). "A Mysterious Hacker Group Is On a Supply Chain Hijacking Spree". Wired. ISSN   1059-1028 . Retrieved 16 July 2019.
  23. Cox, Joseph (18 September 2015). "Hack Brief: Malware Sneaks Into the Chinese iOS App Store". Wired. ISSN   1059-1028 . Retrieved 16 July 2019.
  24. "Fully Countering Trusting Trust through Diverse Double-Compiling". dwheeler.com. Retrieved 16 July 2019.
  25. 1 2 "Target data breach: Why UK business needs to pay attention". ComputerWeekly. Retrieved 27 October 2015.
  26. Harris, Elizabeth A. (26 February 2014). "Data Breach Hurts Profit at Target". The New York Times. ISSN   0362-4331 . Retrieved 27 October 2015.
  27. "Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It". Bloomberg.com. 17 March 2014. Retrieved 30 October 2015.
  28. Kuchler, Hannah (20 October 2014). "Hackers find suppliers are an easy way to target companies". Financial Times. ISSN   0307-1766 . Retrieved 27 October 2015.
  29. "Archived copy" (PDF). Archived from the original (PDF) on 6 November 2015. Retrieved 27 October 2015.{{cite web}}: CS1 maint: archived copy as title (link)
  30. "Target Hackers Broke in Via HVAC Company — Krebs on Security". krebsonsecurity.com. 9 February 2014. Retrieved 27 October 2015.
  31. Parks, Miles (19 March 2015). "Target Offers $10 Million Settlement In Data Breach Lawsuit". NPR.org. Retrieved 30 October 2015.
  32. "Confirmed: US and Israel created Stuxnet, lost control of it". Ars Technica. June 2012. Retrieved 27 October 2015.
  33. "Iran was prime target of SCADA worm". Computerworld. 23 July 2010. Archived from the original on 27 July 2010. Retrieved 27 October 2015.
  34. reporter, Jonathan Fildes Technology; News, B. B. C. (23 September 2010). "Stuxnet worm 'targeted high-value Iranian assets'". BBC News. Retrieved 27 October 2015.{{cite news}}: |last2= has generic name (help)
  35. Fildes, Jonathan (23 September 2010). "Stuxnet worm 'targeted high-value Iranian assets'". BBC News. Retrieved 23 September 2010.
  36. "A Declaration of Cyber-War". VANITY FAIR. April 2011.
  37. "Tyupkin Virus (Malware) | ATM Machine Security | Virus Definition". www.kaspersky.com. Retrieved 4 November 2015.
  38. "Meet GreenDispenser: A New Breed of ATM Malware | Proofpoint". www.proofpoint.com. 22 September 2015. Retrieved 30 October 2015.
  39. "New ATM Malware Captures PINs and Cash — Updated". WIRED. Retrieved 30 October 2015.
  40. "Tyupkin: manipulating ATM machines with malware - Securelist". securelist.com. 7 October 2014. Retrieved 19 May 2020.
  41. Polityuk, Jack Stubbs (3 July 2017). "Family firm in Ukraine says it was not responsible for cyber attack". reuters.com. Retrieved 1 June 2019.
  42. "NotPetya (2017)". International cyber law: interactive toolkit. 14 November 2022. Retrieved 2 May 2023.
  43. 1 2 Brewster, Thomas. "Petya Or NotPetya: Why The Latest Ransomware Is Deadlier Than WannaCry". Forbes. Retrieved 2 May 2023.
  44. "Ukrainian software company will face charges over cyber attack, police suggest". ABC News. 3 July 2017. Retrieved 2 May 2023.
  45. "Customer data theft". britishairways.com. Retrieved 1 June 2019.
  46. "What Is Magecart | Attack Examples & Prevention Techniques | Imperva". Learning Center. Retrieved 2 May 2023.
  47. Kolesnikov, Oleg; Harshvardhan, Parashar (6 November 2018). "Securonix Threat Research: BRITISH AIRWAYS BREACH: MAGECART FORMGRABBING SUPPLY CHAIN ATTACK DETECTION" (PDF). Securonix.com. Retrieved 2 May 2023.
  48. Christina Zhao (14 December 2020). "Solar Winds, Probably Hacked by Russia, Serves White House, Pentagon, NASA". Newsweek . Retrieved 14 December 2020.
  49. Sanger, David E.; Perlroth, Nicole; Schmitt, Eric (15 December 2020). "Scope of Russian Hack Becomes Clear: Multiple U.S. Agencies Were Hit". The New York Times.
  50. Johnson, Kevin; Snider, Mike (18 December 2020). "Russian cyber attack against US: Worst may be yet to come, experts fear, as Trump remains mum". USA Today.
  51. Alkhadra, Rahaf; Abuzaid, Joud; AlShammari, Mariam; Mohammad, Nazeeruddin (6 July 2021). "Solar Winds Hack: In-Depth Analysis and Countermeasures". 2021 12th International Conference on Computing Communication and Networking Technologies (ICCCNT). IEEE. pp. 1–7. doi:10.1109/ICCCNT51525.2021.9579611. ISBN   978-1-7281-8595-8.
  52. "Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) | CISA". www.cisa.gov. 5 January 2021. Retrieved 2 December 2024.
  53. 1 2 Department of Homeland Security (13 Dec 2020) Emergency Directive 21-01, "Mitigate SolarWinds Orion Code Compromise"
  54. "Massive cyberattack grows beyond US, heightening fears". AFP. 18 December 2020. Retrieved 2 May 2023 via France 24.
  55. 1 2 Alex Marquardt, Brian Fung and Zachary Cohen, CNN (17 December 2020) Microsoft identifies more than 40 organizations targeted in massive cyber breach
  56. T.C. Sottek (31 Dec 2020) Microsoft says hackers were able to see some of its source code
  57. 1 2 Ionut Ilascu (17 December 2020) Nation-state hackers breached US think tank thrice in a row
  58. Michael Trantas (Dec 2016) Vulnerability in Duo’s Authentication Proxy Server Software
  59. 1 2 3 4 Brad D Williams (6 Mar 2021) Microsoft Pushes Urgent Fixes Overnight As Threat Actors Compromise Exchange Servers Worldwide
  60. Brad D Williams (29 Mar 2021) SolarWinds: ‘The Truth Is Much More Complicated’ Follow-on damage to US government by Russian op
  61. 1 2 The New York Times David E. Sanger (14 Jul 2021) "Ransomware group goes offline. The culprit is not yet clear." p.A6
  62. 1 2 3 Dan Goodin Ars Technica (2/18/2019) POST-MORTEM — Microsoft says SolarWinds hackers stole source code for 3 products
  63. Brian Barrett (6 Mar 2021) China’s and Russia’s spying spree will take years to unpack
  64. The_Exchange_Team Microsoft (8 March 2021) March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server 3/10/2021 released updates for E2019 CU3. E2016 CU12, 13 and 17. E2013 CU21 and 22. 3/8/2021 released updates for E2019 CU4, 5, and 6. E2016 CU14, 15, and 16.
  65. Joseph Menn, Raphael Satter, Trevor Hunnicutt (5 Mar 2021) More than 20,000 U.S. organizations compromised through Microsoft flaw
  66. Lily Hay Newman (10 March 2021) It’s Open Season for Microsoft Exchange Server Hacks
  67. (9 March 2021) I can't believe I have to say this (again) ...
  68. Reuters (March 2021) At least 10 hacking groups using Microsoft software flaw -researchers
  69. Allana Akhar (12 Mar 2021) Google accused Microsoft of unfairly attacking the tech giant to distract from the massive Exchange hack Rival distractions
  70. Dan Goodin (23 Mar 2021) Ransomware operators are piling on already hacked Exchange servers
  71. Charlie Osborne (12 March 2021) Microsoft Exchange Server hacks ‘doubling’ every two hours
  72. Shadowserver (28 Mar 2021) Attackers Breach 21,000 Microsoft Exchange Servers, Install Malware Implicating Brian Krebs (krebsonsecurity.com) malicious code spoofing Krebs
  73. Brad D. Williams (13 Apr 2021) Revealed: Secret FBI Cyber Op To Clean Exchange Servers
  74. Jill Disis and Zahid Mahmood (28 May 2021) Microsoft says SolarWinds hackers have struck again at the US and other countries
  75. Lily Hay Newman (30 May 2021) The SolarWinds hackers aren’t back—they never went away
  76. Dan Goodin (26 Jun 2021) SolarWinds hackers breach new victims, including a Microsoft support agent
  77. Brad D Williams (2 Jul 2021) China Likely Outed Soon For Exchange Hacks
  78. ERIC TUCKER (19 Jul 2021) Microsoft Exchange email hack was caused by China, US says
  79. Brad D Williams (22 Jul 2021) US Playing Long Game To Pressure China On Cyber Ops: Experts
  80. Christopher Bing and Chris Prentice, Joseph Menn (10 Sep 2021) Wide-Ranging SolarWinds Probe Sparks Fear in Corporate America (Reuters.com)
  81. Dan Goodin (30 Jun 2022) Microsoft Exchange servers worldwide hit by stealthy new backdoor
  82. Dan Goodin (6 Dec 2021) SolarWinds Hackers Have a Whole Bag of New Tricks For Mass Compromise Attacks
  83. 1 2 "Golden SAML Revisited: The Solorigate Connection". www.cyberark.com. Retrieved 2 May 2023.
  84. 1 2 "Detection And Hunting Of Golden SAML Attack". blog.sygnia.co. 21 July 2021. Retrieved 2 May 2023.
  85. Goud, Naveen (7 January 2021). "What is Solorigate". Cybersecurity Insiders. Retrieved 2 May 2023.
  86. Reuters (8 May 2021) Cyber attack shuts down top U.S. fuel pipeline network
  87. BBC (10 May 2021) US Scrambles to Keep Fuel Flowing After Pipeline Cyberattack. Russian Cybercriminals Suspected
  88. Dustin Volz (10 May 2021) U.S. Blames Criminal Group in Colonial Pipeline Hack Darkside
  89. Associated Press (10 May 2021) US invokes emergency powers after cyberattack shuts crucial fuel pipeline
  90. Brad D Williams (27 May 2021) DHS Cyber Order Signals Shift To ‘Mandatory Measures’
  91. 1 2 William Turton (3 July 2021) Massive Ransomware Attack May Impact Thousands of Victims°
  92. AP (5 Jul 2021) World's Single-Biggest Ransomware Attack Hit 'Thousands' in 17 Countries
  93. NBC news (7 July 2021) Code In Huge Ransomware Attack Written To Avoid Computers That Use Russian, Says New Report REvil. Darkside is the Ransomware attacker of Colonial pipeline
  94. 1 2 Paganini, Pierluigi (4 April 2023). "3CX Supply chain attack allowed targeting cryptocurrency companies". Security Affairs. Retrieved 2 May 2023.
  95. 1 2 "Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack". securelist.com. 3 April 2023. Retrieved 2 May 2023.
  96. 1 2 Lyngaas, Sean (28 September 2023). "Chinese hackers stole 60,000 emails from senior State Department officials in May | CNN Politics". CNN. Retrieved 2 December 2024.
  97. "Chinese hackers nab 60,000 emails in State Department breach". POLITICO. 27 September 2023. Retrieved 2 December 2024.
  98. Freund, Andres (29 March 2024). "backdoor in upstream xz/liblzma leading to ssh server compromise". oss-security mailing list.
  99. "Urgent security alert for Fedora 41 and Rawhide users". www.redhat.com. Retrieved 29 March 2024.
  100. "CVE-2024-3094". security-tracker.debian.org. Retrieved 30 March 2024.
  101. "Urgent security alert for Fedora 41 and Fedora Rawhide users". www.redhat.com. Retrieved 30 March 2024.
  102. "All about the xz-utils backdoor | Kali Linux Blog". Kali Linux. 29 March 2024. Retrieved 30 March 2024.
  103. "openSUSE addresses supply chain attack against xz compression library". openSUSE News. 29 March 2024. Retrieved 30 March 2024.
  104. James, Sam. "xz-utils backdoor situation". Gist.
  105. "Arch Linux - News: The xz package has been backdoored". archlinux.org. Retrieved 30 March 2024.
  106. "Disclosed backdoor in xz releases - FreeBSD not affected" . Retrieved 30 March 2024.
  107. 1 2 3 (11 July 2021) NIST Delivers Two Key Publications to Enhance Software Supply Chain Security Called for by Executive Order
  108. NIST (2-3 Jun 2021) Workshop and Call for Position Papers on Standards and Guidelines to Enhance Software Supply Chain Security 1400 participants, 150 position papers
  109. NIST (25 Jun 2021) Definition of Critical Software Under Executive Order (EO) 14028 another NIST source: EXECUTIVE ORDER 14028, IMPROVING THE NATION'S CYBERSECURITY task 4g (26 Jun 2021) Critical Software Definition
  110. "Cyberspace Policy Review" (PDF). Whitehouse.gov. Archived from the original (PDF) on 30 May 2009. Retrieved 29 October 2015.
  111. "The Comprehensive National Cybersecurity Initiative". The White House. Retrieved 29 October 2015.
  112. Davis, A. (2015). Building cyber-resilience into supply chains. Technology Innovation Management Review, 5(4), 19-27. Retrieved on 29-10-2015
  113. Waters, D. 2011. Supply Chain Risk Management (2nd ed.). London: Kogan Page. Accessed 29-10-2015
  114. "Cyber security insurance: new steps to make UK world center - Press releases - GOV.UK". www.gov.uk. Retrieved 30 October 2015.
  115. "Cyber Essentials - OFFICIAL SITE". www.cyberstreetwise.com. Retrieved 30 October 2015.
  116. "Supply Chain Attacks: 6 Steps to protect your software supply chain". GitGuardian. 5 November 2021. Retrieved 5 September 2023.
  117. Hoover, J. N. (2009). Secure the cyber supply chain. InformationWeek, (1247), 45-46,48,50,52. Retrieved from 2015-10-29
  118. "Threat smart: Building a cyber resilient financial institution" (PDF). FS Viewpoint. PwC. October 2014. Retrieved 4 June 2020.
  119. "Advanced Cyber Security - Stop Cyber Attacks | FireEye". FireEye. Retrieved 30 October 2015.
  120. Xuan, Cho Do; Duong, Duc; Dau, Hoang Xuan (21 June 2021). "A multi-layer approach for advanced persistent threat detection using machine learning based on network traffic". Journal of Intelligent & Fuzzy Systems. 40 (6): 11311–11329. doi:10.3233/jifs-202465. ISSN   1064-1246. S2CID   235815012.
  121. "BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT" (PDF). Retrieved 30 October 2015.
  122. "Kaspersky Lab and EY Warn Organizations to Get Prepared for Cyberthreats | Kaspersky Lab". www.kaspersky.com. Retrieved 30 October 2015.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.