Supply chain attacks are an emerging threat to software developers and vendors with the goal of distributing malware by infecting legitimate applications to gain access to source code, build processes, or update mechanisms². Supply chain attacks are very harmful. They will not only affect the reputation and business of suppliers, but also adversely affect many consumers in the supply chain, and even lead to serious consequences such as data leakage, system paralysis, and financial loss. Therefore, the defense and disposal of supply chain attacks is very important.
This article will introduce common types of supply chain attacks, detection methods, emergency response and defense strategies, hoping to be helpful to software developers and suppliers.
Common Types of Supply Chain Attacks
There are many types of supply chain attacks, which can be divided into the following six types according to the attacker’s goals and means²:
- Source code tampering : Attackers invade the supplier's code warehouse or development environment, modify some parts of the source code, insert malicious code or backdoor, and make the generated application have malicious functions. For example, in 2017, the source code of CCleaner was tampered with, causing 2.2 million users to download a version containing malicious code.
- Dependency package poisoning : Attackers can induce developers to download and use malicious dependency packages by publishing dependency packages containing malicious code, or using the name similarity of dependency packages, thereby affecting the developer's application. For example, in 2020, a package named Jeilyfish appeared in the PyPI community, which differs from Jellyfish by only one letter, but contains malicious code that can steal sensitive information from users.
- Update mechanism hijacking : By hijacking the provider's update server or update channel, attackers push updates containing malicious code to users, or prevent users from receiving normal updates. For example, in 2017, the NotPetya ransomware hijacked the update mechanism of Ukrainian accounting software MEDoc and pushed malicious updates to users, causing worldwide damage.
- Development tool pollution : Attackers pollute the development tools used by developers, such as compilers, debuggers, and IDEs, so that the applications generated by developers contain malicious code or backdoors. For example, in 2015, XcodeGhost polluted the Xcode installation package so that the iOS apps generated by developers contained malicious code, affecting millions of users.
- Hardware implantation : Attackers affect the supplier's software or services by implanting malicious chips or firmware in the supplier's hardware devices. In 2018, for example, there were reports that a company in China implanted microchips in the motherboards of servers it makes for companies like Apple and Amazon, allowing them to be controlled remotely and steal data.
- Personnel infiltration : Attackers bribe, threaten, or trick suppliers' employees to allow them to perform malicious operations in the supply chain, such as modifying source codes, leaking keys, and closing firewalls.
Reference link
(1) Supply chain attack_Baidu Encyclopedia.
https://baike.baidu.com/item/%E4%BE%9B%E5%BA%94%E9%93%BE%E6%94%BB%E5 %87%BB/55662290 Access time 2023/2/16.
(2) Detection and defense of supply chain attacks_Shanfenglan7's blog-CSDN blog_Supply chain attack detection. https://bing.com/search?q=% e4%be%9b%e5%ba%94%e9%93%be%e6%94%bb%e5%87%bb Access time 2023/2/16. (3) Interpretation of six common types of software supply chain
attacks - Zhihu- Zhihu column. https://zhuanlan.zhihu.com/p/382478630 Access time 2023/2/16.
(4) What is a supply chain attack? Solutions and Examples | Keeper. https://www.keepersecurity.com/zh_CN/threats/supply-chain-attack.html Accessed 2023/2/16.