Big businesses know they could be cybercrime targets, so they invest in cyber defenses like software, people and training. Now, cybercriminals have turned to their smaller suppliers as a way of getting to them. hacker:HUNTER Behind the Screens Episode 2 looks at supply chain attacks.
Supply chain attack targets retailer Target
The bigger the business, the more suppliers. And more internet-connected devices everywhere means cybercriminals have more ways in.
In this episode, Eliza-May Austin, CEO and co-founder of cybersecurity start-up th4ts3cur1ty.company (That Security Company,) explains how cybercriminals stole 40 million people’s card details from US retail giant Target with an attack that began in their air conditioning system.
You read that right. It started with an employee at Target’s air conditioning supplier clicking a link in a phishing email, injecting malware into their system. Target had remote access to monitor their air conditioning units, and that remote access was through the same network where cybercriminals could access personal data. They got inside point-of-sale devices and pulled customer card details from the machine’s memory. The attack cost Target some 61 million US dollars.
What is a supply chain attack?
These kinds of attacks aren’t new, but they’re becoming more common and harder to detect. Apple and computer hardware makers ASUS are among those who’ve been targeted.
Energetic Bear was a significant attack on critical energy infrastructure. Cybercriminals began the attack with spear phishing – targeting specific people with customized emails and making a hit list of potentially vulnerable suppliers.
In 2017, Kaspersky researchers discovered a ‘backdoor’ (dubbed ShadowPad) in server management software hundreds of large businesses use. When activated, the backdoor let attackers download malicious modules and steal data. The researchers notified the suppliers, NetSarang, who pulled down the compromised software and replaced it with an earlier clean version.
Sometimes, there is no clean version. Noushin Shabab, Senior Security Researcher at Kaspersky, explains how supply chain attacks can start as software is being developed. “Cyberattackers compromise software by getting inside software used by developers – the development environment. That way malicious code can end up on many businesses’ networks.”
How to protect against supply chain attacks
Eliza-May Austin works with suppliers to larger corporations to make sure the whole supply chain is ‘hardened,’ or better protected from attack.
Her advice is straightforward. “We can prevent about 80 percent of attacks with basic cyber-hygiene. Make sure your software and hardware is up to date. Limit your ‘attack surface’ – if something needn’t be online, don’t put it online. Audit passwords, making sure they’re complex. Have two-factor authentication. Employees can be the weakest link in a company, but if they have good cybersecurity training, they can be the strongest.”