Two Ways to Hack the Supply Chain
The combination of holiday shopping and a vaccine for COVID-19 have illustrated the importance of supply chains like never before. Goods get to market through supply chains. This post will look at two ways the different elements of a supply chain can be targeted. One method relies on inserting malicious code into components of products as they are assembled. The other targets the humans involved directly with different treacheries.
Supply Chain Basics
Graphic by David Pogrebeshsky / Wikipedia
A shipper might contract with a third-party logistics (3PL) provider to handle warehousing and shipping. The 3PL could own a warehouse to store the goods until shipment. Upon shipment time, the 3PL could work with a freight forwarder to book cargo on a ship or airplane. An agent receives the goods and the process of cargo changing hands goes from one party to another. There could be several large parties involved in the transfer of goods or many smaller entities, each handling their own specialization.
We can look at a shipment from Amazon as an example of the supply chain intricacies. A person clicks the button to purchase a Smart Snow Blobe for Christmas from Snowy’s. This new product connects to the Internet so it can sync with contact lists, display personal photos, and be controlled remotely. The seller has posted the snowy item on Amazon, but they have their own warehouse. When the order comes in, they search the specific location of the globe and generate a shipment label with FedEx who handles the final delivery to the customer. But how did that fun little snow globe get into their warehouse? They placed an order with a Chinese manufacturer and imported them. To get the goods in the USA, they worked for a freight forwarder specializing in China to US shipments. The freight forwarder had a customs broker on staff to make sure duties were paid and the shipment was legal.
Taking a step even further back, how did the manufacturer integrate the different components of the Smart Snow Globe? They worked with a certain vendor for the microchip, a vendor for the components of Blue Tooth, and the other electronic parts. The manufacturer relies on a basic operating system to control the processes. Assembling these parts together in China is where the supply chain for the Smart Snow Globe Starts.
Method #1: Hacking The Components of a Supply Chain
Hackers can infect the components of different products and use this access when the components are assembled. Inserting the payload during the process of assembling a product can be done in a number of ways. The attacker can implant a rootkit on a component that gives administrator access. The infamous Stuxnet provides an example of how this supply chain attack type works. A programmable logic controller (PLC) used in uranium enrichment was infected with malware due to a USB being inserted. The PLC was just one component of the overall process, but it being infected meant the overall system was destroyed.
Looking at our Smart Snow Globe mentioned above, we can apply this method of hacking a supply chain. When the Snow Globe was assembled in China, suppose the operating system installed had a piece of malware infecting it. This malware is ingeniously designed to go into action once the end customer syncs her contacts. The Snow Globe sends those contacts phishing emails aimed at stealing more credentials and then sends that information to a server.
Stop the Attack: Partners and 3rd parties represent a risk to companies. If you have digital or physical entwinement with others, then their weakness becomes yours. Thoroughly vetting your partners and assessing their security standards is a must. Doing so can lessen the chance of falling victim. A Managed Detection & Response solution can be used to monitor activity for suspicious activity.
Method #2: Hacking the People
Inserting malicious code into a subset of a software program or hardware device is one type of hacking. Getting a person to click a link or do another action favored by a threat actor is another. The complex web of relationships in the supply chain was once managed through phone calls, faxes, printed out documents, and face-to-face communication. In recent decades, emails, spreadsheets, APIs, and software programs have come to play. This is known as the digitization of the supply chain. Each connection in this supply chain is vulnerable to fraud, scams, and hackers breaking in for their malicious gain.
The methods to infiltrate and hack companies using the supply chain theme are similar to hackers relying on other themes. The threat actor is just using the environment of shipments coming and going as the focal point of the fraud. The MITRE ATT&CK® Framework is the best modern resource to cover the steps attackers take to execute attacks.
Hackers need to gather intelligence to know what systems are used by the members of the supply chain. Doing this can be accomplished with little special knowledge. Looking at the source code of a logistics website can reveal what software programs they use to ship goods. After discovering the software used, they can see who this company ships to or from regularly. Getting this intelligence can be accomplished by looking at the relevant employee’s LinkedIn connections, the company’s website content, or other public websites that highlight partnerships and customers.
With the knowledge of the relevant parties and the type of communications exchanged, the threat actor is ready to attack. They can craft a spoofed email or even a text message that shows tracking information or other information that prompts the recipient to click. After the victim clicks the link, the malware is installed. Now the threat actor can employ ransomware or any other illicit activity.
An example of this attack happening during the Smart Snow Globe shipment can illustrate this situation. The freight forwarder bringing the Smart Snow Globes to the United States is a large company that is being targeted by a hacking group. The hacking group knows that the forwarder uses Netsuite for generating shipment information and they know the parties involved. The hacker crafts a spoofed email prompting the forwarder to open an attachment with a Word Document containing malware. After they open it, the forwarder is hit with ransomware and the Snow Globes do not arrive for Christmas.
Stop the Attack: Companies can prevent hackers from hijacking their supply chain by following some best practices. Employees should be trained to look closely at emails asking for attachments to be opened or links clicked. Email protection software exists that can help analyze messages for authenticity as well.