Break the chain: avoiding supply side cyber attacks

According to the Office of the Australian information Commissioner (OAIC), malicious or criminal attacks are a leading cause of data breaches notified to the OAIC.¹

Whilst traditionally we might think of cyber security breaches as involving hackers directly accessing a computer (unauthorised users who ‘break into’ a computer to access/change/steal/delete information), or phishing (where an external party sends fraudulent messages which trick people into providing personal or confidential information), a different form of cyber breach is becoming more prevalent.

A supply chain attack, also known as a value-chain or third-party attack, occurs when a threat actor infiltrates a system thorough an outside party, eg a service provider, with access to the organisations data and systems.²  Supply chain cyber breaches have been found in both the computer and mobile phone areas, signifying a serious risk to individuals and organisations alike.

In 2013, retail giant ‘Target’, in the US, reported a supply chain cyber breach whereby a heating, ventilation, and air conditioning company was reportedly hacked and through that, thehackers were then able to remotely control some of Target’s retail operations.  The hackers reportedly stole 60 million shoppers’ private credit card information and names, and costing Target $24.78 million to settle investigations.³

In October 2019, a cyber security software company, ‘Avast’, reported a breach in which CCleaner (a utility used to clean potentially unwanted files from a computer), was believed to have been the ultimate target.  Had the breach been successful, all of CCleaner’s clients’ may have been exposed to the attack.⁴

In the mobile phone sphere, ‘SimBad’ and ‘Operation Sheep’ are just two of many known supply chain attacks on mobile app developers.  ‘SimBad’ was an ‘adware’⁵ (a form of malware that hides on your device and presents advertisements) which was hidden in a software development kit, which was utilised by the 206 infected apps on Google Play.  The apps were then collectively downloaded nearly 150 million times.  The adware infected many simulator games offered through google play which led to the name ‘Simbad’.  ‘Operation Sheep’, on the other hand, operated in a similar manner however instead of presenting ads, this malware stole contact data from the infiltrated phones.

These examples of supply chain attacks are an important reminder to be aware of who you interact with, who interacts with you, and how the interactions take place within systems.

Lavan recommends that organisations not only regularly update and review their own internal data security policies and practices, but also confer with their suppliers and contacts with respect to maintaining data security.  As outlined in the ‘Check Point Software Security Report 2020’, “maintaining a healthy suspicion of previously trusted partners and their security mechanisms has become an imperative[…]”.⁶

If you have any questions in relation to this article, please contact Iain Freeman.