Cybercriminals are increasingly managing to infiltrate organizations, not by attacking their core systems directly, but by exploiting vulnerabilities in their suppliers. Furthermore, many of these incidents are never made public. According to Unit 42, Palo Alto Networks’ threat intelligence and incident response team, over 25% (specifically 28%) of the cases analyzed in Europe over the past year originated from third-party vulnerabilities.
This percentage is likely even higher, as many attacks initiated through external providers go undetected or are not classified as supply chain-related incidents, making it difficult to fully understand the scope of the problem.
Chris George, Managing Director EMEA of Unit 42 at Palo Alto Networks, notes that investigations tend to focus on protecting the affected organization and restoring operations as quickly as possible, rather than thoroughly examining the initial point of attack. As a result, many supply chain-related incidents are not identified as such, and companies are not fully aware of the level of risk within their network of suppliers.
The perfect storm: AI use, increasing connectivity, and over-reliance on vulnerable third parties
The most targeted sectors through the supply chain include technology and financial services, due to the high value of the data they manage and their extensive network of vendors. Additionally, legal firms and professional services companies have become frequent targets because of their access to confidential information from large corporations. Luxury brands are also on cybercriminals’ radar, seeking access to personal data of high-net-worth clients.
Some of the main reasons behind these attacks include:
- Expanded digital ecosystems: companies are part of increasingly large ecosystems with hundreds or thousands of suppliers, which multiplies the attack surface.
- The principle of the weakest link: attackers exploit smaller suppliers with weaker defenses to leverage the trust placed in them by larger companies.
- Economic asymmetry: compromising suppliers is often easier and faster than attacking a large organization directly, offering a highly attractive risk-reward scenario for attackers.
- Acceleration of AI: ransomware-as-a-service, access brokers, and AI-powered tools for reconnaissance, exploitation, and social engineering make supply chain attacks easier and more cost-effective. According to Unit 42, a “perfect storm” is forming due to the combined effects of AI use, growing connectivity, and over-reliance on vulnerable third parties.
Types of supply chain attacks
- Software poisoning attacks: manipulation of the software development cycle by altering code, libraries, or dependencies before the product reaches the end user.
- Hardware manipulation: altering components during manufacturing or transport to introduce malicious elements.
- Attacks on business processes: exploiting relationships between a company and its suppliers or partners to insert malicious content into seemingly legitimate activities.
Cyber altruism as a defensive strategy
Unit 42 recommends adopting protective measures such as mapping all digital dependencies, identifying all providers and connections; detecting weak links, pinpointing and fixing vulnerabilities before attackers can exploit them; and sharing security measures down the chain, meaning extending tools, training, and protections to smaller suppliers and contractors. These steps should be part of a “cyber altruism” strategy, based on the pragmatic idea that large organizations share security capabilities with their smaller suppliers, since everyone faces the same level of exposure to risk.