What are some Real Examples of Supply Chain Attacks in Recent Years, and What Should DoD Contractors Learn from them?

Several significant supply chain attacks in recent years have garnered media attention in the United States and elsewhere. Hackers are not only targeting big organizations but also small and mid-sized companies. Small businesses that work as DoD contractors or DIB supply chain vendors are the number one target of hackers. Since most DoD contractors are short of funds to build a robust cybersecurity team, they are more susceptible to cybercrimes. No doubt why the U.S federal agency has made cybersecurity compliance a must for DoD vendors. However, it goes without saying that compliance with CMMC, DFARS, and NIST is complicated and time intensive. Thus, more and more companies are relying on CMMC consulting Virginia Beach firms to become compliant. 

Here, we have listed some of the most prominent cyber attacks on the supply chain.

Attacks in early 2017-2018

In 2017, a distribution network attack attributed to hackers supported by Russia compromised accounting software widely used in Europe. Maersk, FedEx, Merck, and other global firms suffered operational setbacks and other losses totaling about $10 billion due to the attack.

An attack against ASUS, a manufacturer of motherboards, graphics cards, notebooks, netbooks, and other electronic devices, in 2018 used an automatic software fix to implant malware. The attack impacted numerous thousands of ASUS customers worldwide as the software was downloaded by consumers farther down the line.

Attacks in early 2020-2021

A high-profile cyberattack on SolarWinds in 2020 impacted up to 250 customers worldwide. SolarWinds offer software for managing business networks, systems, and IT infrastructures. The hacker inserted malicious code into Orion software upgrades that SolarWinds was shipping to its clients by state-sponsored Russian hackers. FireEye, a company that offers organizations cybersecurity gear, software, and services, was one of the clients impacted. Weeks later, FireEye experienced a network compromise and software theft that might be linked upstream to the SolarWinds attack.

Additionally, in 2020, Russian hackers gained access to private information by using a flaw in the VMware Access and Identity Manager software. VMware is a provider of virtualization and cloud computing software and services to companies and governmental organizations worldwide. The exploit gave the hackers access to the networks of VMware customers and the ability to mimic authorized users to access their data digitally.

Attacks in 2021

For Microsoft Exchange and Office 365, Mimecast offers cloud-based email security, preservation, and continuity services. The network vulnerability at Mimecast was acknowledged by the same attackers who attacked SolarWinds in 2021. A Mimecast security license that verifies its operations on Microsoft 365 Exchange Web Services, used by about 10% of Mimecast customers, was compromised due to the intrusion.

And in a fascinating experiment conducted in 2021, a white-hat security investigator successfully broke into several prestigious businesses by taking advantage of the interconnections that many software apps need to provide services to end consumers. Test data bundles were successfully sent to Telsa, Uber, Apple, Microsoft, and Apple. Even while no damage was done, the research demonstrated that supply chain hacks might happen to even large-scale tech companies. Just picture the mayhem that might have ensued among users of Apple and Microsoft products, for instance, if the data packets contained malicious malware.

What do the recent cyber attacks on the supply chain suggest?

These attacks on the supply chain show that every provider is susceptible to intrusion and compromise. Particularly appealing targets for hackers are technology companies due to the catastrophic effects a single criminal penetration into a software design, or computer manufacturer can have on their entire consumer ecosystem.

Contrary to ransomware assaults and phishing exploits, supply chain assaults are relatively unusual. On the downside, as it is practically hard to verify on one’s own, firms that buy or rent from technology providers must trust such suppliers to maintain adequate cybersecurity. These few illustrations show that even renting or purchasing from a well-known technology company does not ensure supply chain security. Thus, one must hire CMMC consultant when it comes to cybersecurity compliance.

The best a company can do in such a situation is to ensure its own cybersecurity is complete and up to date. An excellent place to begin is with a security risk assessment.