When you think of a cybersecurity attack, the image of a hacker probing a network for vulnerabilities comes to mind. Or a phishing attack that steals an employee's login credentials or malware installed on a computer.

These are all valid and common methods of attack. But what if there was another way to infiltrate a network that didn't involve attacking the target directly?

A supply chain attack does just this, exploiting organizations linked to the target and attacking the targets' supply chain. So what are supply chain attacks, and how do they work?

What Is a Supply Chain Hack?

A supply chain attack seeks to damage or infiltrate an organization by pinpointing vulnerable parts of its supply network. Attacking a supply chain presents multiple opportunities for successful infiltration—even more so when attacking an organization with a complicated or intricate supply chain network.

In almost all supply chain attacks, the initial victim is not the sole target of the attacker. Rather, the supply chain element is a stepping stone to a bigger fish. The attacker exploits vulnerabilities in the easier target and leverages that to move to the ultimate goal.

Although supply chain attacks sound rare, a June 2020 study by Opinion Matters for BlueVoyant [PDF, sign-up required] found that 80 percent of organizations "have suffered a third-party related breach in the past 12 months." Furthermore, 77 percent of respondents have "limited visibility around their third-party vendors."

With figures like this, you see why supply chain attacks are not only popular but also how they succeed in moving from the initial target to the main organization.

It is extremely difficult for a company to detect a third-party software supply chain attack. The very nature of the attack means the malicious files are hidden not only from the main target but from the vulnerable link in the supply chain. The computer doesn't even have to be online for the attack to work.

The target organization may only realize there is an issue when their data starts appearing for sale elsewhere or something similar triggers an alarm. With such in-depth access to the internal network, it is possible to move around freely within the organization, even deleting the tell-tale signs of an intruder.

Supply Chain Attack Types

Supply chain attacks aren't one size fits all. The supply chain for a major organization may comprise multiple different moving parts. An attacker must think about which type of supply chain attack to use against a target.

Here are three notable supply chain attacks for you to consider.

1. Target

In 2013, the US retailer Target was the subject of a major attack that resulted in the loss of information on 110 million credit and debit cards used in their stores. The total amount of data stolen was only 11GB, but the type of data stolen was particularly valuable.

The attackers identified a number of third-party suppliers in Target's corporate network. While the final number of attempted exploits is unknown, the vulnerable business was Fazio Mechanical, a refrigeration contractor.

Once the contractor was compromised, the attackers waited inside the company network until it was possible to escalate to a Target system using stolen credentials. Eventually, the attackers gained access to Target's servers, looking for other vulnerable systems inside the company network.

From here, the attackers exploited Target's point of sale (POS) system, skimming off card information for millions of customers.

2. SolarWinds

One primary example of a third-party software supply chain attack is SolarWinds, whose Orion remote management software was compromised in 2020. The attackers inserted a malicious backdoor into the software update process.

When the update was pushed to SolarWinds' hundreds of thousands of customers, the attacker's malware went with it. As the update was digitally signed as normal, everything appeared as usual.

Related: What Is Code-Signed Malware?

After activating the software as part of the normal update process, the attackers gained access to a huge number of critical targets, including the US Treasury, the Departments of Homeland Security, Commerce, State, Defence, and Energy, and the National Nuclear Security Administration.

The SolarWinds attack is one of the largest and most successful supply-chain attacks ever carried out.

3. Stuxnet

Did you know that one of the most infamous hacks of all time was a supply chain attack?

Stuxnet is a computer worm with an extremely specific target: systems running a particular software type, from a specific manufacturer, found in Iranian nuclear power plants. The Stuxnet malware causes centrifuges to drastically increase in speed, destroying the material in the centrifuge and the infrastructure itself in the process.

Related: Can a Cyberattack Cause Physical Damage?

The highly targeted and incredibly sophisticated worm is believed to be the work of the US and Israeli governments, working together to eliminate an apparent Iranian nuclear threat.

Stuxnet was introduced into the Iranian nuclear power plant supply chain using an infected USB flash drive. Once installed on one computer, Stuxnet moved laterally through the network, searching for the correct control system before running.

Because Stuxnet has a precise target, it doesn't draw attention to itself, only activating when it hits a computer matching the specifications.

How To Stay Safe in the Supply Chain Attack Era

Supply chains are difficult to manage at the best of times. Many companies use third-party software solutions to manage aspects of their business. These include remote management tools or accounting software, or even platforms like Microsoft Office 365.

Companies simply cannot bring every aspect of their business under one roof. Nor should they have to. Trusting a software developer or cloud service provider shouldn't drastically increase the chances of you or your business falling victim to an attack.

Increased security for businesses and consumers drives supply chain attacks too. If the attackers cannot find a way into the organization, attacking the next tier down is the most economical and pragmatic way of gaining access. It is also less likely to get picked up by enterprise security systems.

In many cases, supply-chain attacks are extensive, well-researched, and well-funded operations.

For example, SolarWinds is the work of a nation-state hacking team that has had months to work on and deliver the supply chain hack. Similarly, Stuxnet combined multiple zero-day attacks into a single package to hit Iranian nuclear power plants, and the Target supply chain hack took time to pull off.

These aren't random script amateurs we're talking about here, who have stumbled on a vulnerability. They're teams of hackers working together to attack a specific target. The supply chain just happens to be the path of least resistance.