EU cybersecurity agency says hackers target supplier’s code

The report reveals that an organization could be vulnerable to a supply chain attack even when its own defences are better than adequate. EPA-EFE/RONALD WITTE

Malware overcomes defenses, open doors for vulnerability








Mapping on emerging supply chain attacks, the European Union Agency for Cybersecurity warned on July 29 that 66% of attacks focus on the supplier’s code. ENISA set up an ad-hoc working group on cyber threats in order to interact with a broad range of stakeholders and to receive advice in designing, updating and reviewing the methodology needed to draw cyber threat landscapes, including the annual ENISA Threat Landscape. The report issues an extensive number of recommendations for customers to manage the supply chain cybersecurity risk and to manage the relationship with the suppliers. To respond to this need, the ENISA Threat Landscape has been published on an annual basis since 2012. Recommendations for suppliers include:

Ensuring that the infrastructure used to design, develop, manufacture, and deliver products, components and services follows cybersecurity practices;
implementing a product development, maintenance and support process that is consistent with commonly accepted product development processes;
Monitoring of security vulnerabilities reported by internal and external sources that include used third-party components;
Maintaining an inventory of assets that includes patch-relevant information. The impact of attacks on suppliers may have far-reaching consequences because of the increased interdependencies and complexities of the techniques used. In cybersecurity, a supply chain includes hardware and software, cloud or local storage, as well as distribution mechanisms. style=”font-size:40px; line-height: 1.3em; font-weight: 800; padding:7px;”>EU cybersecurity agency says hackers target supplier’s code

By New Europe Online/KG

epa07988392 A digital screen displays a live cyber hack attack during a press conference at the Federal Criminal Police Office (BKA) in Wiesbaden, Germany, 11 November 2019. This is why novel protective measures to prevent and respond to potential supply chain attacks in the future while mitigating their impact need to be introduced urgently. In order to compromise the targeted customers, attackers focused on the suppliers’ code in about 66% of the reported incidents. A supply chain is a combination of the ecosystem of resources needed to design, manufacture and distribute a product. All such aspects reveal the degree of sophistication of the adversaries and the persistence in seeking to succeed. This highlights the gap in terms of maturity in cybersecurity incident reporting between suppliers and end-users. Supply chain attacks are now expected to multiply by 4 in 2021, compared to last year. “With good practices and coordinated actions at (the) EU level, (the) Member States will be able to reach a similar level of capabilities raising the common level of cybersecurity in the EU,” he added. Moreover, with the almost limitless potential of the impact of supply chain attacks on numerous customers, these types of attacks are becoming increasingly common. This is evidenced by the increasing impact of these attacks such as downtime of systems, monetary loss and reputational damage. The attackers explore new potential highways to infiltrate organisations by targeting their suppliers. However, less than 9% of the customers compromised through supply chain attacks did not know how the attacks occurred. For 66% of the supply chain attacks that were analyzed, suppliers did not know – or failed to report – how they were compromised. This shows that organizations should focus their efforts on validating third-party code and software before using them to ensure these were not tampered with or manipulated. Composed of an attack on one or more suppliers with a later attack on the final target, namely the customer, supply chain attacks may take months to succeed. This new trend stresses the need for policymakers and the cybersecurity community to act now. EPA-EFE/RONALD WITTEK

A digital screen displays a live cyber hack attack during a press conference at the Federal Criminal Police Office (BKA) in Wiesbaden, Germany, November 11, 2019. Beyond the damages on affected organizations and third parties, there is a deeper cause for concern when classified information is exfiltrated and national security is at stake or when consequences of a geopolitical nature could emerge as a result, ENISA said. According to the new ENISA report – Threat Landscape for Supply Chain Attacks, which analysed 24 recent attacks, strong security protection is no longer enough for organisations when attackers have already shifted their attention to suppliers. In many instances, such an attack may even go undetected for a long time. These reports are based on publicly available data that provides an independent view on observed threats, threat agents, threat trends and attack vectors. Similar to Advanced Persistence Threat (APT) attacks, supply chain attacks are usually targeted, quite complex and costly with attackers probably planning them well in advance. In this complex environment for supply chains, establishing good practices and getting involved in coordinated actions at the EU level are both important to support all 27 members of the bloc in developing similar capabilities to reach a common level of security. Recommendations for customers include:

Identifying and documenting suppliers and service providers; defining risk criteria for different types of suppliers and services such as supplier & customer dependencies, critical software dependencies, single points of failure;
Monitoring of supply chain risks and threats; managing suppliers over the whole lifecycle of a product or service, including procedures to handle end-of-life products or components;
Classifying of assets and information shared with or accessible to suppliers, and defining relevant procedures for accessing and handling them. The BKA presented the federal picture of the Cybercrime 2018 in Germany. For about 58% of the supply chain incidents analysed, the customer assets targeted were predominantly customer data, including Personally Identifiable Information (PII) data and intellectual property. “Due to the cascading effect of supply chain attacks, threat actors can cause widespread damage affecting businesses and their customers all at once,” EU Agency for Cybersecurity Executive Director Juhan Lepassaar said. The cyber threat landscape is constantly evolving and both policymakers and practitioners need to have access to up-to-date and accurate information on the current threat landscape, supported by threat intelligence. Suppliers are advised to implement security procedures that focus on vulnerability and patch management. The report also suggests possible actions to ensure that the development of products and services complies with Europe’s security practices. The EU Agency for Cybersecurity recommended good practices needed to be applied and coordinated actions must be engaged at the EU level. Supply chain attacks have been a concern for cybersecurity experts for many years because the chain reaction triggered by one attack on a single supplier can compromise a network of providers. Malware is the attack technique that attackers resort to in 62% of attacks. The Agency provides threat analysis on a range of emerging technologies and challenges including recent threat landscapes on Artificial Intelligence and 5G.