Supply Chain Attack

A supply chain attack occurs when a threat actor compromises an organization indirectly by targeting a vendor, software library, build system, or managed service provider (MSP) that the target organization trusts and depends on. Rather than attacking the hardened perimeter of a well-defended organization, the adversary exploits the inherently trusted relationship between the target and its supply chain. Notable examples include the SolarWinds SUNBURST attack (2020), the Kaseya VSA breach (2021), and the 3CX supply chain compromise (2023).

Supply chain attacks are particularly dangerous because they weaponize trust. Malicious code or access delivered through a legitimate vendor update bypasses signature-based defenses and often carries valid code-signing certificates. A single compromised vendor can yield access to hundreds or thousands of downstream organizations simultaneously, making supply chain attacks highly attractive to nation-state actors and sophisticated ransomware groups. They are also difficult to detect because the initial vector — a legitimate software update or service connection — appears normal.

Attack vectors vary by target layer. Software supply chain attacks involve injecting malicious code into source repositories, build pipelines, or update packages (e.g., SolarWinds' Orion build system was compromised to insert a backdoor into signed updates). Hardware supply chain attacks involve tampering with firmware or components before delivery. MSP-based attacks use legitimate remote management tools to pivot from the MSP into client networks. Detection requires monitoring for anomalous behavior from trusted processes, validating software integrity via hash verification and SBOM (Software Bill of Materials) analysis, and auditing third-party access.