66% supply chain attacks focus on suppliers code says ENISA

The European Union Agency for Cybersecurity (ENISA) has found supply chain attacks are rising and 66% of these attacks focus on the suppliers code.

According to a new ENISA report, Threat Landscape for Supply Chain Attacks, which analysed 24 recent supply chain attacks, strong security protection is no longer enough for organisations when attackers have already shifted their attention to suppliers. 

Supply chain attacks are expected to increase four-fold in 2021 compared to last year. ENISA says these new trends stress the need for policymakers and the cybersecurity community to act now. 

Juhan Lepassaar, ENISA's Executive Director says: “Due to the cascading effect of supply chain attacks, threat actors can cause widespread damage affecting businesses and their customers all at once. With good practices and co-ordinated actions at EU level, Member States will be able to reach a similar level of capabilities raising the common level of cybersecurity in the EU.”

Why is a good level of cybersecurity not good enough?

Supply chain attacks can take months to succeed and in many instances these attacks can go undetected for a long time. Similar to Advanced Persistence Threat (APT) attacks, supply chain attacks are usually targeted, quite complex and costly with attackers planning them well in advance. These attacks are usually sophisticated and the attackers persistent.

The report reveals that an organisation could be vulnerable to a supply chain attack even when its own defences are quite good. The attackers explore new potential highways to infiltrate organisations by targeting their suppliers. Moreover, with the limitless potential of the impact of supply chain attacks on numerous customers, these types of attacks are becoming increasingly common.

In order to compromise the targeted customers, attackers focused on the suppliers’ code in about 66% of the reported incidents. This shows that organisations should focus their efforts on validating third-party code and software before using them to ensure these were not tampered with or manipulated.

For about 58% of the supply chain incidents analysed, the customer assets targeted were predominantly customer data, including Personally Identifiable Information (PII) data and intellectual property.

For 66% of the supply chain attacks analysed, suppliers did not know, or failed to report on how they were compromised. However, less than 9% of the customers compromised through supply chain attacks did not know how the attacks occurred. This highlights the gap in terms of maturity in cybersecurity incident reporting between suppliers and end-users.

ENISA says companies should apply good practices and engage in coordinated actions at EU level. It says the impact of attacks on suppliers may have far reaching consequences because of the increased interdependencies and complexities of the techniques used. Beyond the damages on affected organisations and third parties, there is a deeper cause for concern when classified information is exfiltrated and national security is at stake or when consequences of a geopolitical nature could emerge as a result.


Featured Articles

Gartner unveils top cybersecurity predictions for 2023-2024

Half of CISOs will formally adopt human-centric design practices into their cybersecurity programmes, while adoption of zero trust architecture will rise

DDoS protection market to grow amid increase in attacks

According to research by Cloudflare, DDoS attacks increased by 109% last year, with the last 12 months seeing some of the largest attacks the world

The impact data poisoning has on cyber and AI

We take a look at why the risks of data and AI poisoning is continuing to wreak havoc on the cybersecurity industry

Five innovative ways AI can help prevent cyber attacks

Cyber Security

SailPoint delivers new non-employee risk management solution

Cyber Security

Akamai shares details of Asia’s record-breaking DDoS attack

Network Security