This report was sponsored by JFrogThe Software Supply Chain Platform for Trust & Visibility from Dev to Device.

Up until the end of 2020, software supply chain attacks might not have been on your radar. But the attack on SolarWinds, as well as those on Log4j, Codecov, and Kaseya (to name a few), have placed these emerging threats at the forefront of many cybersecurity strategies.

Designed to cause mass disruption through a single breach, supply chain attacks target software updates, build processes, and source code by hunting out vulnerabilities and unsecure servers and protocols. This enables hackers to alter source code and hide malware or backdoors in the updates or design builds. Because these apps and updates are released by trusted vendors (and often come certified and signed), the malicious code is unleashed on the public without them or the vendors being aware of the compromise or vulnerability.

Through this one breach, an attacker can distribute its malicious code to thousands, if not millions, of victims.

Here at Comparitech, we’ve tracked software supply chain attacks from as far back as 2007 to see how the threat landscape is changing, who and what was attacked, and how many people were affected.

For definitions of each attack type, please see the methodology. Attacks are assigned to the country where the platform/website’s headquarters are located. Where a company’s location isn’t provided and/or more than one organization is implicated in the attack, the attack isn’t included in the map. 

The biggest software supply chain attacks

Most of the biggest software supply chain attacks have taken place in the last couple of years. Here are some of them:

SolarWinds

SolarWinds was the hack that put software supply chain attacks on the map. Its IT monitoring system, Orion, which is used by over 30,000 organizations including federal, state, and local agencies, was compromised by hackers. This enabled the hackers to deliver backdoor malware in an Orion software update.

The result?

Not only could the hackers access and imitate the victims’ accounts/users, the malware could also access system files and work among SolarWinds’ legitimate activities, going undetected even by antivirus software. The attackers went unnoticed from when they first hacked into the system in September 2019 to the first public discovery/report of the attack in December 2020.

Overall, approximately 18,000 customers installed the malicious Orion update, allowing the hackers to unleash even more malware and havoc on their systems. Those affected included Cisco, Deloitte, Intel, Microsoft, FireEye, and various government departments, including Homeland Security.

Kaseya

In July 2021, IT management software company, Kaseya, announced it had been the victim of a supply chain attack after hackers exploited a vulnerability in its VSA software. The attackers, which were later revealed as REvil, used the vulnerability to carry out ransomware attacks on multiple managed service providers (MSPs) and their customers. By hacking the VSA server, which is used to deploy various automated IT tasks and software, hackers were able to infiltrate systems via a fake update.

Kaseya confirmed that around 60 of its customers and a further 1,500 businesses were affected by the attack. Kaseya did, however, confirm that it hadn’t paid the hacker’s ransom (which was rumored to be $70 million–reduced to $50 million).

Codecov

Shortly before the Kaseya attack, in April 2021, Codecov (a dedicated code coverage solution) revealed that hackers had gained unauthorized access to its Bash Uploader script before altering it. They were able to do this due to an error in the image creation process that gave them access to Codecov’s sensitive credentials. As a result, the attackers were able to glean customers’ private credentials, keys, and tokens.

Worse still, the attackers were able to do this for two months before they were detected. It was a customer who noticed an error in the code (hackers changed the IP address to their own server rather than Codecov’s).

Log4j

At the end of 2021, Log4j (a Java-based logging utility) was victim to a vulnerability, Log4Shell, that put millions of computers at risk. Built by the Apache Software Foundation, Log4j is open-source software that records diagnostic information about systems and communicates them to users and administrators in a bid to keep things running smoothly.

However, in December 2021, the Log4Shell vulnerability meant attackers could break into systems, steal data, uncover logins and passwords, and unleash further malicious software. And with Log4j being used by a vast number of individuals and organizations, it put an extraordinary amount of users and businesses at risk of attack. This included Belgium’s Ministry of Defence, which revealed an attack on its systems in mid-December and Vietnam-based crypto platform Onus, which was found to be using a vulnerable version of Log4j.

Methodology and sources

To collate a list of software supply chain attacks, our researchers have searched through industry blogs, software logs, and vulnerability databases. Where possible, we have only included an attack if it led to the exploitation of a vulnerability. For example, ethical hacks or notifications of vulnerabilities before any illicit activities have been carried out haven’t been included. Attacks have only been included if they affect a software supply chain.

For the number of customers affected, this may include individual customers/records, or it may refer to the number of businesses impacted.

Categories for attack types and what was attacked were created using the European Union Agency for Cybersecurity’s (EINSA) Threat Landscape for Supply Chain Attacks report.

  • How was the supplier attacked?
    • Brute-force attack: e.g. guessing login details
    • Exploiting configuration vulnerability
    • Exploiting software vulnerability
    • Malware infection
    • Open-Source Intelligence (OSINT): e.g. finding usernames or other credentials online
    • Physical Attack or Modification: e.g. physical intrusion into the system or modifying hardware
    • Social Engineering: e.g. typosquatting, fake applications, phishing
  • What was attacked (supplier)?
    • Proprietary Code: e.g. software or source code that is produced by the supplier or software used by the supplier, such as plugins produced to work with the supplier’s software
    • Open-source Code: e.g. software packages installed via third parties, e.g. RubyGems or npm
    • Configurations: e.g. API keys, passwords, URLs
    • Data: e.g. certificates, personal data, information about the supplier
    • Hardware: e.g. USBs, chips, valves
    • Processes: e.g. signing certificates processes, updates, or backups
    • People: specific targets identified by the attackers
  • How was the customer attacked?
    • Counterfeiting: e.g. creating a fake USB
    • Drive-by compromise: e.g. malicious website scripts used to infect users with malware
    • Malware infection: e.g. ransomware, backdoor, a remote access trojan (RAT)
    • Phishing: e.g. fake update notifications, fake apps, or messages impersonating the supplier
    • Physical Attack or Modification: e.g. physical intrusion into the system or modifying hardware
    • Trusted Relationship: e.g. trust an automatic update, trust a backup, or trust a certificate
  • What was attacked (customer)?
    • Business Data: e.g. emails, documents
    • Personal data: e.g. credentials, employee records, customer data
    • Financial: e.g. payment details, cryptocurrency
    • Software: e.g. access to software/code of the customer
    • Processes: e.g. access to the system of the customer, ability to unleash more malicious activities, ability to change software/app permissions
    • People: e.g. people targeted due to their knowledge or data
    • Bandwidth: e.g. use of bandwidth to spam others on a large-scale or unleash DDoS

For a full list of sources, please click here.

Data researchers: Charlotte Bond, Rebecca Moody