ENISA Warns Supply Chain Attacks Will PersistAgency Offers Insights on Mitigating Risks
The European Union Agency for Cybersecurity, or ENISA, warns that supply chain attacks will continue to skyrocket this year.
In a new report, "Threat Landscape for Supply Chain Attack," the agency analyzed 24 supply chain attacks reported between January 2020 and early July 2021. It mapped out the supply chain environment in this period to understand different attack scenarios.
Based on an assessment that growth in supply chain attacks seen during the period reviewed will continue throughout 2021, the report estimates that there will be four times more supply chain attacks in 2021 than in 2020, with half of the attacks being attributed to advanced persistence threat actors. Of those supply chain attacks analyzed in the report, 50% of the incidents were caused by APT groups and had common attack vectors, such as malware injection, social engineering and vulnerability exploitation.
In 66% of the incidents covered in the report, attackers focused on the suppliers’ code in order to further compromise targeted customers. About 58% of the supply chain attacks were aimed at gaining access to data - predominantly customer data, including personal data and intellectual property - and 16% were designed to gain access to individuals.
Common Attack Vectors
"A supply chain attack is a combination of at least two attacks. The first attack is on a supplier that is then used to attack the target to gain access to its assets," ENISA explains. "The target can be the final customer or another supplier. Therefore, for an attack to be classified as a supply chain one, both the supplier and the customer have to be targets."
In the case of the supplier, the common attack vectors that were used to compromise the supply chain were malware infection, social engineering attacks and exploitation of software vulnerabilities, ENISA says. To target supplier assets, the attackers leveraged vulnerable software, such as web servers, cloud applications or software source codes.
They targeted customers by exploiting certificates via automatic updates, by injecting malicious scripts into the websites and by deploying malware such as remote access Trojans, ransomware or backdoors, ENISA adds.
The attackers then proceeded to target customers' assets - which include payment data, employee records and credentials - and access customer product source code, steal cryptocurrency and hijack bank accounts and money transfers, the report notes.
Taxonomy for Supply Chain Attacks
The report introduces a taxonomy for supply chain attacks. "The proposed taxonomy also helps to classify, compare and discuss these attacks using a common ground. The similarities between the proposed taxonomy and other well-known frameworks are discussed," it says.
ENISA says that organizations can use the taxonomy to better understand the four elements of the supply chain - supplier, supplier assets, customer and customer assets. It says the taxonomy has been used at the block level for the purpose of incident response coordination activities and information sharing within the EU.
The taxonomy is conceptually different from the MITRE ATT&CK framework, ENISA says, adding that it does not aim to replace the latter but rather complement it.
ENISA has recommended several steps that organizations can take to prevent potential supply chain fallouts. These include:
- Identify and document types of suppliers and service providers;
- Assess supply chain risks according to their own business continuity impact assessments and requirements;
- Monitor supply chain risks and threats, based on internal and external sources of information as well as on findings from suppliers’ performance monitoring and reviews;
- Classify assets and information that are shared or accessible to suppliers and define relevant procedures for their access and handling;
- Monitor service performance and perform routine security audits;
- Maintain accurate and up-to-date data on the origin of software code or components;
- Monitor security vulnerabilities reported by internal and external sources.