Supply chain attack

Generally, supply chain attacks on information systems begin with an advanced persistent threat (APT)[https://breakingdefense.com/2021/07/us-uk-warn-of-new-worldwide-russian-cyberespionage/ BRAD D. WILLIAMS (July 01, 2021) US-UK Warn Of New Worldwide Russian Cyberespionage ] Context for some threat naming schemas: APT, GRU, Fancy bear, SVR, etc. that determines a member of the supply network with the weakest cyber security in order to affect the target organization.{{Cite news|url = https://www.cert.gov.uk/wp-content/uploads/2015/02/Cyber-security-risks-in-the-supply-chain.pdf|archive-url = https://web.archive.org/web/20150218220339/https://www.cert.gov.uk/wp-content/uploads/2015/02/Cyber-security-risks-in-the-supply-chain.pdf|archive-date = 2015-02-18|title = Cyber-security risks in the supply chain|last = CERT-UK|date = 2015|access-date = 2015-10-27}} Hackers don't usually directly target a larger entity, such as the United States Government, but instead target the entity's software. The third-party software is often less protected, leading to an easier target.{{Cite journal |title=Software Supply Chain Attacks, a Threat to Global Cybersecurity: SolarWinds' Case Study {{!}} IIETA |url=https://www.iieta.org/journals/ijsse/paper/10.18280/ijsse.110505 |access-date=2024-12-02 |website=www.iieta.org |language=en |doi=10.18280/ijsse.110505}} According to an investigation produced by Verizon Enterprise, 92% of the cyber security incidents analyzed in their survey occurred among small firms.{{Cite web|url = http://www.verizonenterprise.com/DBIR/2014/reports/rp_Verizon-DBIR-2014_en_xg.pdf|title = 2014 Data Breach Investigations Report|date = 2014|access-date = 2015-10-27|publisher = Verizon Enterprise}} Supply chain networks are considered to be particularly vulnerable due to their multiple interconnected components.

APT's can often gain access to sensitive information by physically tampering with the production of the product.{{Cite web|title = Organized crime tampers with European card swipe devices|url = https://www.theregister.co.uk/2008/10/10/organized_crime_doctors_chip_and_pin_machines/|access-date = 2015-10-27|date = 10 October 2008|first = Austin|last = Modine|work = The Register}} In October 2008, European law-enforcement officials "uncovered a highly sophisticated credit-card fraud ring" that stole customer's account details by using untraceable devices inserted into credit-card readers made in China to gain access to account information and make repeated bank withdrawals and Internet purchases, amounting to an estimated $100 million in losses.{{Cite news|title = Fraud Ring Funnels Data From Cards to Pakistan|url = https://www.wsj.com/articles/SB122366999999723871|newspaper = Wall Street Journal|access-date = 2015-10-27|issn = 0099-9660|first = Siobhan|last = Gorman}}

The threat of a supply chain attack poses a significant risk to modern day organizations and attacks are not solely limited to the information technology sector; supply chain attacks affect the oil industry, large retailers, the pharmaceutical sector and virtually any industry with a complex supply network.{{Cite web|title = Next Generation Cyber Attacks Target Oil And Gas SCADA {{!}} Pipeline & Gas Journal|url = http://www.pipelineandgasjournal.com/next-generation-cyber-attacks-target-oil-and-gas-scada|website = www.pipelineandgasjournal.com|access-date = 2015-10-27|archive-date = 9 February 2015|archive-url = https://web.archive.org/web/20150209105940/http://www.pipelineandgasjournal.com/next-generation-cyber-attacks-target-oil-and-gas-scada}}{{Cite news|title = Cyber attackers 'target healthcare and pharma companies'|url = http://www.ft.com/intl/cms/s/0/a6b09006-e5c9-11e3-aeef-00144feabdc0.html#axzz3pldWoE8O|newspaper = Financial Times|date = 2014-05-28|access-date = 2015-10-27|issn = 0307-1766|first = Hannah|last = Kuchler}}

The Information Security Forum explains that the risk derived from supply chain attacks is due to information sharing with suppliers, it states that "sharing information with suppliers is essential for the supply chain to function, yet it also creates risk... information compromised in the supply chain can be just as damaging as that compromised from within the organization".{{Cite web|url = https://www.securityforum.org/userfiles/public/download-research/ssc/securing-the-supply-chain_esv3.pdf|title = Security Form}}

While Muhammad Ali Nasir of the National University of Computer and Emerging Sciences, associates the above-mentioned risk with the wider trend of globalization stating "…due to globalization, decentralization, and outsourcing of supply chains, numbers of exposure points have also increased because of the greater number of entities involved and that too are scattered all around the globe… [a] cyber-attack on [a] supply chain is the most destructive way to damage many linked entities at once due to its ripple effect."{{Cite conference |title=Potential cyber-attacks against global oil supply chain|last = Nasir|first = Muhammad Ali|book-title =2015 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA) |date = June 2015 |pages = 1–7|doi = 10.1109/CyberSA.2015.7166137|isbn = 978-0-9932-3380-7 |s2cid = 18999955}}

Poorly managed supply chain management systems can become significant hazards for cyber attacks, which can lead to a loss of sensitive customer information, disruption of the manufacturing process, and could damage a company's reputation.{{Cite journal|title = Cyber-Resilience: A Strategic Approach for Supply Chain Management|last = Urciuoli|first = Luca|date = Apr 2015|journal = Talent First Network|id = {{ProQuest|1676101578}}}}

Wired reported a connecting thread in recent software supply chain attacks, as of 3 May 2019.{{Cite magazine|url=https://www.wired.com/story/barium-supply-chain-hackers/|title=A Mysterious Hacker Group Is On a Supply Chain Hijacking Spree|last=Greenberg|first=Andy|date=2019-05-03|magazine=Wired|access-date=2019-07-16|issn=1059-1028}}

These have been surmised to have spread from infected, pirated, popular compilers posted on pirate websites. That is, corrupted versions of Apple's XCode and Microsoft Visual Studio.{{Cite magazine|url=https://www.wired.com/2015/09/hack-brief-malware-sneaks-chinese-ios-app-store/|title=Hack Brief: Malware Sneaks Into the Chinese iOS App Store|last=Cox|first=Joseph|date=2015-09-18|magazine=Wired|access-date=2019-07-16|issn=1059-1028}}

(In theory, alternating compilers{{Cite web|url=https://dwheeler.com/trusting-trust/dissertation/html/wheeler-trusting-trust-ddc.html|title=Fully Countering Trusting Trust through Diverse Double-Compiling|website=dwheeler.com|access-date=2019-07-16}} might detect compiler attacks, when the compiler is the trusted root.)

{{Further|History of Target Corporation#2013 security breach}}

File: Target Westminster, MD (7505810590).jpg

At the end of 2013, Target, a US retailer, was hit by one of the largest data breaches in the history of the retail industry.{{Cite web|title = Target data breach: Why UK business needs to pay attention|url = http://www.computerweekly.com/feature/Target-data-breach-Why-UK-business-needs-to-pay-attention|website = ComputerWeekly|access-date = 2015-10-27}}

Between 27 November and 15 December 2013, Target's American brick-and-mortar stores experienced a data hack. Around 40 million customers' credit and debit cards became susceptible to fraud after malware was introduced into the POS system in over 1,800 stores. The data breach of Target's customer information saw a direct impact on the company's profit, which fell 46 percent in the fourth quarter of 2013.{{Cite news|title = Data Breach Hurts Profit at Target|url = https://www.nytimes.com/2014/02/27/business/target-reports-on-fourth-quarter-earnings.html|newspaper = The New York Times|date = 2014-02-26|access-date = 2015-10-27|issn = 0362-4331|first = Elizabeth A.|last = Harris}}

Six months prior the company began installing a $1.6 million cyber security system. Target had a team of security specialists to monitor its computers constantly. Nonetheless, the supply chain attack circumvented these security measures.{{Cite news|title = Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It|url = https://www.bloomberg.com/bw/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data|newspaper = Bloomberg.com|date = 17 March 2014|access-date = 2015-10-30}}

It is believed that cyber criminals infiltrated a third party supplier to gain access to Target's main data network.{{Cite news|title = Hackers find suppliers are an easy way to target companies|url = http://www.ft.com/intl/cms/s/0/b4807a14-5097-11e4-8645-00144feab7de.html#axzz3pldWoE8O|newspaper = Financial Times|date = 2014-10-20|access-date = 2015-10-27|issn = 0307-1766|first = Hannah|last = Kuchler}} Although not officially confirmed,{{Cite web |url=http://faziomechanical.com/Target-Breach-Statement.pdf |title=Archived copy |access-date=27 October 2015 |archive-url=https://web.archive.org/web/20151106155919/http://faziomechanical.com/Target-Breach-Statement.pdf |archive-date=6 November 2015 |df=dmy-all }} investigation officials suspect that the hackers first broke into Target's network on 15 November 2013 using passcode credentials stolen from Fazio Mechanical Services, a Pennsylvania-based provider of HVAC systems.{{Cite web|title = Target Hackers Broke in Via HVAC Company — Krebs on Security|url = http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/|website = krebsonsecurity.com| date=9 February 2014 |access-date = 2015-10-27}}

Ninety lawsuits have been filed against Target by customers for carelessness and compensatory damages. Target spent around $61 million responding to the breach, according to its fourth-quarter report to investors.{{Cite web|title = Target Offers $10 Million Settlement In Data Breach Lawsuit|url = https://www.npr.org/sections/thetwo-way/2015/03/19/394039055/target-offers-10-million-settlement-in-data-breach-lawsuit|website = NPR.org| date=19 March 2015 |access-date = 2015-10-30| last1=Parks | first1=Miles }}

{{Main|Stuxnet}}

File: Iran NPP CIMG2451 m1.jpg

Stuxnet is a computer worm that is widely believed to be a joint U.S.-Israeli cyber operation, though neither government has officially confirmed involvement. The worm specifically targets industrial control systems, particularly those that automate electromechanical processes, such as factory machinery and nuclear enrichment equipment. Stuxnet was designed to manipulate programmable logic controllers (PLCs), disrupting industrial equipment by issuing unauthorized commands while simultaneously feeding falsified operations data to monitoring systems to conceal its activity.{{Cite web |date=June 2012 |title=Confirmed: US and Israel created Stuxnet, lost control of it |url=https://arstechnica.com/tech-policy/2012/06/confirmed-us-israel-created-stuxnet-lost-control-of-it/ |access-date=2015-10-27 |website=Ars Technica}}{{Cite web |last=Gross |first=Michael Joseph |date=April 2011 |title=A Declaration of Cyber-War |url=https://archive.vanityfair.com/article/2011/4/a-declaration-of-cyber-war |access-date=26 February 2025 |website=Vanity Fair}}

Stuxnet is widely believed to have been developed to disrupt Iran's uranium enrichment programs. Kevin Hogan, Senior Director of Security Response at Symantec, stated that most infections occurred in Iran.{{Cite web|title = Iran was prime target of SCADA worm|url = http://www.computerworld.com/s/article/9179618/Iran_was_prime_target_of_SCADA_worm|website = Computerworld|date = 23 July 2010|access-date = 2015-10-27|archive-date = 27 July 2010|archive-url = https://web.archive.org/web/20100727034513/http://www.computerworld.com/s/article/9179618/Iran_was_prime_target_of_SCADA_worm}} Analysts suggest that its primary target was the Natanz uranium enrichment facility.

Stuxnet was initially introduced into Iran's Natanz facility via infected USB flash drives, requiring physical access to the target network. According to reports, engineers or maintenance workers, either knowingly or unknowingly, facilitated its entry into the plant. Once inside, the worm spread autonomously, exploiting multiple zero-day vulnerabilities in Windows systems to propagate across networked machines running Siemens industrial control software.{{Cite web |date=8 January 2014 |title=Stuxnet Malware Mitigation (Update B) |url=https://www.cisa.gov/news-events/ics-advisories/icsa-10-238-01b |access-date=27 February 2025 |website=Cybersecurity & Infrastructure Security Agency (CISA)}}{{Cite web |date=24 May 2024 |title=The real story of Stuxnet |url=https://spectrum.ieee.org/the-real-story-of-stuxnet |access-date=27 February 2025 |website=IEEE Spectrum}}

In recent years malware known as Suceful, Plotus, Tyupkin and GreenDispenser have affected automated teller machines globally, especially in Russia and Ukraine.{{Cite web|title = Tyupkin Virus (Malware) {{!}} ATM Machine Security {{!}} Virus Definition|url = http://www.kaspersky.com/internet-security-center/threats/tyupkin-malware-atm-security-malware|website = www.kaspersky.com|access-date = 2015-11-04}} GreenDispenser specifically gives attackers the ability to walk up to an infected ATM system and remove its cash vault. When installed, GreenDispenser may display an 'out of service' message on the ATM, but attackers with the right access credentials can drain the ATM's cash vault and remove the malware from the system using an untraceable delete process.{{Cite web|title = Meet GreenDispenser: A New Breed of ATM Malware {{!}} Proofpoint|url = https://www.proofpoint.com/us/threat-insight/post/Meet-GreenDispenser|website = www.proofpoint.com|date = 22 September 2015|access-date = 2015-10-30}}

The other types of malware usually behave in a similar fashion, capturing magnetic stripe data from the machine's memory storage and instructing the machines to withdraw cash. The attacks require a person with insider access, such as an ATM technician or anyone else with a key to the machine, to place the malware on the ATM.{{Cite magazine|title = New ATM Malware Captures PINs and Cash — Updated|url = https://www.wired.com/2009/06/new-atm-malware-captures-pins-and-cash/|magazine = WIRED|access-date = 2015-10-30}}

The Tyupkin malware active in March 2014 on more than 50 ATMs at banking institutions in Eastern Europe, is believed to have also spread at the time to the U.S., India, and China. The malware affects ATMs from major manufacturers running Microsoft Windows 32-bit operating systems. The malware displays information on how much money is available in every machine and allows an attacker to withdraw 40 notes from the selected cassette of each ATM.{{Cite web|title = Tyupkin: manipulating ATM machines with malware - Securelist|url = https://securelist.com/tyupkin-manipulating-atm-machines-with-malware/66988/|website = securelist.com| date=7 October 2014 |access-date = 2020-05-19}}

{{Main|2017 Ukraine ransomware attacks}}

In June 2017, the financial software M.E.Doc, widely used in Ukraine, was identified by security researchers as a likely initial vector for the spread of the NotPetya malware. Security researchers, including those from Microsoft, indicated that NotPetya infections may have originated from a compromised update issued through M.E.Doc. Some analysts described this as a supply chain attack, though the exact method of compromise was not definitively identified. The software's developers denied the claim but later deleted their statement and stated that they were cooperating with investigators.{{Cite web |date=28 June 2017 |title=Tax software blamed for cyber-attack spread |url=https://www.bbc.com/news/technology-40428967 |access-date=27 February 2025 |website=BBC}}{{Cite news|title = Family firm in Ukraine says it was not responsible for cyber attack|url = https://www.reuters.com/article/us-cyber-attack-ukraine-software-idUSKBN19O2DK|website = reuters.com|date = 3 July 2017|access-date = 2019-06-01|last1 = Polityuk|first1 = Jack Stubbs}}

NotPetya was initially identified as ransomware because it encrypted hard drives and displayed a ransom demand in bitcoin. However, the email account used to provide decryption keys was shut down, leaving victims without a way to recover their files. Unlike WannaCry, NotPetya had no built-in kill switch, making it harder to stop. The attack affected multiple industries in Ukraine, including banks, an airport, the Kyiv metro, pharmaceutical companies, and Chernobyl's radiation detection systems. It also spread globally, impacting organizations in Russia, the United Kingdom, India, and the United States.{{Cite web |last=Brewster |first=Thomas |title=Petya Or NotPetya: Why The Latest Ransomware Is Deadlier Than WannaCry |url=https://www.forbes.com/sites/thomasbrewster/2017/06/27/petya-notpetya-ransomware-is-more-powerful-than-wannacry/ |access-date=2023-05-02 |website=Forbes |language=en}}

NotPetya spread using EternalBlue, a vulnerability originally developed by the U.S. National Security Agency (NSA) and later leaked. EternalBlue had previously been used in the WannaCry cyberattack in May 2017. This exploit enabled NotPetya to spread through the Windows Server Message Block (SMB) protocol. The malware also used PsExec and the Windows Management Instrumentation (WMI) to spread within networks. Due to these exploits, once a device on a network was infected, the malware could rapidly spread to other connected systems.

Ukrainian police stated that M.E.Doc employees could face criminal liability for negligence, citing repeated warnings from antivirus firms about security vulnerabilities in the company's cybersecurity infrastructure. The head of Ukraine's CyberPolice, Colonel Serhiy Demydiuk, alleged that M.E.Doc had been repeatedly warned by security firms about weaknesses in its systems but failed to act, stating, "They knew about it." Authorities later reported that M.E.Doc cooperated with investigators.{{Cite news |date=2017-07-03 |title=Ukrainian software company will face charges over cyber attack, police suggest |language=en-AU |work=ABC News |url=https://www.abc.net.au/news/2017-07-03/cyber-attack-charge-ukarine/8675006 |access-date=2023-05-02}}

From August 21st until September 5th in 2018 British Airways was under attack. The British Airways website payment section contained a code that harvested customer payment data. The injected code was written specifically to route credit card information to a domain baways.com, which could erroneously be thought to belong to British Airways.{{Cite web|title = Customer data theft|url = https://www.britishairways.com/en-gb/information/incident/data-theft/latest-information/|website = britishairways.com|access-date = 2019-06-01}}

Magecart is the entity believed to be behind the attack. Magecart is a name attributed to multiple hacker groups that use skimming practices in order to steal customer information through online payment processes.{{Cite web |title=What Is Magecart {{!}} Attack Examples & Prevention Techniques {{!}} Imperva |url=https://www.imperva.com/learn/application-security/magecart/ |access-date=2023-05-02 |website=Learning Center |language=en-US}} Approximately 380,000 customers had their personal and financial data compromised as a result of the attack. British Airways later reported in October, 2018 that an additional 185,000 customers may have had their personal information stolen as well.{{Cite web |last1=Kolesnikov |first1=Oleg |last2=Harshvardhan |first2=Parashar |date=6 November 2018 |title=Securonix Threat Research: BRITISH AIRWAYS BREACH: MAGECART FORMGRABBING SUPPLY CHAIN ATTACK DETECTION |url=https://www.securonix.com/wp-content/uploads/2021/07/Securonix_Threat_Research_Magecart.pdf |access-date=2 May 2023 |website=Securonix.com}}

{{anchor|SolarWindsOrionPlatform}}

{{Main|2020 United States federal government data breach}}

The 2020 SolarWinds cyberattack was linked to a supply chain compromise targeting the IT infrastructure company SolarWinds, which provided software used by multiple U.S. federal institutions,{{cite magazine |title=Solar Winds, Probably Hacked by Russia, Serves White House, Pentagon, NASA |author=Christina Zhao |url=https://www.newsweek.com/solar-winds-probably-hacked-russia-serves-white-house-pentagon-nasa-1554447 |magazine=Newsweek |date=14 December 2020 |access-date=2020-12-14}}{{Cite news|url=https://www.nytimes.com/2020/12/14/us/politics/russia-hack-nsa-homeland-security-pentagon.html|title=Scope of Russian Hack Becomes Clear: Multiple U.S. Agencies Were Hit|first1=David E.|last1=Sanger|first2=Nicole|last2=Perlroth|first3=Eric|last3=Schmitt|newspaper=The New York Times|date=15 December 2020}} including networks within the National Nuclear Security Administration (NNSA).{{cite web |url=https://www.usatoday.com/story/news/politics/2020/12/18/russian-cyber-attack-worst-may-yet-come-solarwinds-hacking/3956223001/ |first1=Kevin |last1=Johnson |first2=Mike |last2=Snider |date=18 Dec 2020 |title=Russian cyber attack against US: Worst may be yet to come, experts fear, as Trump remains mum |work=USA Today}}{{Cite web |date=17 December 2020 |title=Nuclear weapons agency breached amid massive cyber onslaught |url=https://www.politico.com/news/2020/12/17/nuclear-agency-hacked-officials-inform-congress-447855 |access-date=2 March 2025 |website=Politico}} Russian hackers compromised Orion, a widely used network management software developed by SolarWinds, by injecting malicious code into software updates. This allowed them to gain unauthorized access to numerous organizations, including multiple U.S. government agencies that relied on Orion for IT monitoring and management.{{Cite book |last1=Alkhadra |first1=Rahaf |last2=Abuzaid |first2=Joud |last3=AlShammari |first3=Mariam |last4=Mohammad |first4=Nazeeruddin |chapter=Solar Winds Hack: In-Depth Analysis and Countermeasures |date=2021-07-06 |title=2021 12th International Conference on Computing Communication and Networking Technologies (ICCCNT) |chapter-url=https://ieeexplore.ieee.org/document/9579611 |publisher=IEEE |pages=1–7 |doi=10.1109/ICCCNT51525.2021.9579611 |isbn=978-1-7281-8595-8}}

On December 13, 2020, the U.S. Department of Homeland Security issued Emergency Directive 21-01, "Mitigate SolarWinds Orion Code Compromise", requiring affected federal agencies to disconnect compromised Windows host OS instances from their enterprise domain and rebuild those hosts using trusted sources. These compromised systems had been running SolarWinds Orion.{{Cite web |date=13 December 2020 |title=Emergency Directives - ED 21-01: Mitigate SolarWinds Orion Code Compromise |url=https://www.cisa.gov/news-events/directives/ed-21-01-mitigate-solarwinds-orion-code-compromise |access-date=2 March 2025 |website=CISA}}

In December 2020, FireEye identified a cyber breach involving the SolarWinds Orion software, which had been compromised prior to its discovery. Microsoft was among the organizations affected, detecting and removing malicious files linked to the breach.{{Cite web |date=31 December 2020 |title=Microsoft says hackers were able to see some of its source code |url=https://www.theverge.com/2020/12/31/22208401/microsoft-solarwinds-source-code-russian-hackers |access-date=2 March 2025 |website=The Verge}}{{Cite web |date=17 December 2020 |title=Microsoft identifies more than 40 organizations targeted in massive cyber breach |url=https://edition.cnn.com/2020/12/17/politics/microsoft-hack-organizations/index.html |access-date=2 March 2025 |website=CNN}} Microsoft has since collaborated with FireEye as part of an ongoing investigation into the incident. The cyberattack targeted supply chain software used across various industries, including government, consulting, technology, telecommunications, and extractive sectors in North America, Europe, Asia and the Middle East.

On January 5, 2021, a joint statement from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) indicated that, while approximately 18,000 public and private sector entities were affected by the SolarWinds breach, fewer than ten U.S. government agencies were confirmed to have been compromised.{{Cite web |date=2021-01-05 |title=Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) {{!}} CISA |url=https://www.cisa.gov/news-events/news/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure |access-date=2024-12-02 |website=www.cisa.gov |language=en}}

{{anchor|Azure}}

{{anchor|Intune}}

{{Main|2021 Microsoft Exchange Server data breach}}

In February 2021 Microsoft determined that the attackers had downloaded a few files "(subsets of service, security, identity)" apiece from[https://arstechnica.com/information-technology/2021/02/microsoft-says-solarwinds-hackers-stole-source-code-for-3-products/ Dan Goodin Ars Technica (2/18/2019) POST-MORTEM — Microsoft says SolarWinds hackers stole source code for 3 products]

• "a small subset of Azure components"
• "a small subset of Intune components"
• "a small subset of Exchange components"

None of the Microsoft repositories contained production credentials. The repositories were secured in December, and those attacks ceased in January. However, in March 2021 more than 20,000 US organizations were compromised through a back door that was installed via flaws in Exchange Server.[https://arstechnica.com/information-technology/2021/03/chinas-and-russias-spying-spree-will-take-years-to-unpack/ Brian Barrett (6 Mar 2021) China's and Russia's spying spree will take years to unpack] The affected organizations use self-hosted e-mail (on-site rather than cloud-based) such as credit unions, town governments, and small businesses. The flaws were patched on 2 March 2021, but by 5 March 2021 only 10% of the compromised organizations had implemented the patch; the back door remains open.[https://techcommunity.microsoft.com/t5/exchange-team-blog/march-2021-exchange-server-security-updates-for-older-cumulative/ba-p/2192020 The_Exchange_Team Microsoft (8 March 2021) March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server] 3/10/2021 released updates for E2019 CU3. E2016 CU12, 13 and 17. E2013 CU21 and 22.

3/8/2021 released updates for E2019 CU4, 5, and 6. E2016 CU14, 15, and 16. The US officials are attempting to notify the affected organizations which are smaller than the organizations that were affected in December 2020.[https://www.reuters.com/article/us-usa-cyber-microsoft/as-microsoft-email-software-hack-spreads-experts-brace-for-more-impact-idUSKBN2AX23U Joseph Menn, Raphael Satter, Trevor Hunnicutt (5 Mar 2021) More than 20,000 U.S. organizations compromised through Microsoft flaw]

Microsoft has updated its Indicators of Compromise tool and has released emergency mitigation measures for its Exchange Server flaws.[https://breakingdefense.com/2021/03/microsoft-updates-exchange-server-ioc-tool-emergency-alternative-mitigations-overnight/ Brad D Williams (6 Mar 2021) Microsoft Pushes Urgent Fixes Overnight As Threat Actors Compromise Exchange Servers Worldwide] The attacks on SolarWinds and Microsoft software are currently thought to be independent, as of March 2021. The Indicators of Compromise tool allows customers to scan their Exchange Server log files for compromise.[https://www.wired.com/story/microsoft-exchange-patch-hacks-ransomware/ Lily Hay Newman (10 March 2021) It's Open Season for Microsoft Exchange Server Hacks][https://mobile.twitter.com/evacide/status/1369480451971190788 (9 March 2021) I can't believe I have to say this (again) ...] At least 10 attacking groups are using the Exchange Server flaws.[https://news.trust.org/item/20210310152040-foj30 Reuters (March 2021) At least 10 hacking groups using Microsoft software flaw -researchers][https://www.businessinsider.com/google-said-microsoft-diverted-attention-away-from-exchange-hack-2021-3 Allana Akhar (12 Mar 2021) Google accused Microsoft of unfairly attacking the tech giant to distract from the massive Exchange hack] Rival distractions[https://www.csoonline.com/article/3191947/supply-chain-attacks-show-why-you-should-be-wary-of-third-party-providers.html Maria Kotolov (4 Feb 2021) Supply chain attacks show why you should be wary of third-party providers] Web shells can remain on a patched server; this still allows cyberattacks based on the affected servers.[https://arstechnica.com/gadgets/2021/03/ransomware-operators-are-piling-on-already-hacked-exchange-servers/ Dan Goodin (23 Mar 2021) Ransomware operators are piling on already hacked Exchange servers] As of 12 March 2021 exploit attempts are doubling every few hours, according to Check Point Research,[https://www.zdnet.com/article/microsoft-exchange-server-hacks-doubling-every-two-hours/ Charlie Osborne (12 March 2021) Microsoft Exchange Server hacks 'doubling' every two hours] some in the name of security researchers themselves.[https://it.slashdot.org/story/21/03/28/1924206/attackers-breach-21000-microsoft-exchange-servers-install-malware-implicating-brian-krebs Shadowserver (28 Mar 2021) Attackers Breach 21,000 Microsoft Exchange Servers, Install Malware Implicating Brian Krebs (krebsonsecurity.com)] malicious code spoofing Krebs

By 14 April 2021 the FBI had completed a covert cyber operation to remove the web shells from afflicted servers and was informing the servers' owners of what had been done.[https://breakingdefense.com/2021/04/doj-reveals-secret-fbi-op-to-clean-exchange-servers/ Brad D. Williams (13 Apr 2021) Revealed: Secret FBI Cyber Op To Clean Exchange Servers]

In May 2021 Microsoft identified 3000 malicious emails to 150 organizations in 24 countries, that were launched by a group that Microsoft has denoted 'Nobelium'. Many of those emails were blocked before delivery. 'Nobelium' gained access to a Constant Contact "email marketing account used by the US Agency for International Development (USAID)".[https://www.cnn.com/2021/05/28/tech/microsoft-solarwinds-russia-hack-intl-hnk/index.html Jill Disis and Zahid Mahmood (28 May 2021) Microsoft says SolarWinds hackers have struck again at the US and other countries]

• [https://www.nbcnews.com/tech/security/solarwinds-hackers-are-it-again-targeting-150-organizations-microsoft-warns-n1268893 Phil Helsel, Ezra Kaplan and Kevin Collier (28 May 2021) SolarWinds hackers are at it again, targeting 150 organizations, Microsoft warns]
• [https://abcnews.go.com/US/kremlin-rejects-microsoft-allegations-carried-hack-state-department/story?id=77958843 Patrick Reevell (28 May 2021) Kremlin rejects new Microsoft allegations it carried out hack via State Department email: Microsoft said Thursday the hack targeted dozens of organizations.] Security researchers assert that 'Nobelium' crafts spear-phishing email messages which get clicked on by unsuspecting users; the links then direct installation of malicious 'Nobelium' code to infect the users' systems, making them subject to ransom, espionage, disinformation, etc.[https://arstechnica.com/gadgets/2021/05/the-solarwinds-hackers-arent-back-they-never-went-away/ Lily Hay Newman (30 May 2021) The SolarWinds hackers aren't back—they never went away] The US government has identified 'Nobelium' as stemming from Russia's Federal Security Service.[https://arstechnica.com/gadgets/2021/06/solarwinds-hackers-breach-new-victims-including-a-microsoft-support-agent/?comments=1 Dan Goodin (26 Jun 2021) SolarWinds hackers breach new victims, including a Microsoft support agent] By July 2021 the US government is expected to name the initiator of the Exchange Server attacks:[https://breakingdefense.com/2021/07/government-to-attribute-exchange-hacks-soon/ Brad D Williams (2 Jul 2021) China Likely Outed Soon For Exchange Hacks] "China's Ministry of State Security has been using criminal contract hackers".[https://apnews.com/article/microsoft-exchange-hack-biden-china-d533f5361cbc3374fdea58d3fb059f35 ERIC TUCKER (19 Jul 2021) Microsoft Exchange email hack was caused by China, US says ] [https://breakingdefense.com/2021/07/us-playing-long-game-to-pressure-china-on-cyber-ops-experts/ Brad D Williams (22 Jul 2021) US Playing Long Game To Pressure China On Cyber Ops: Experts]

In September 2021 the Securities and Exchange Commission (SEC) enforcement staff have requested that any companies which have downloaded any compromised SolarWinds updates, voluntarily turn over data to the SEC if they have installed the compromised updates on their servers.Christopher Bing and Chris Prentice, Joseph Menn [https://news.slashdot.org/story/21/09/10/2030221/wide-ranging-solarwinds-probe-sparks-fear-in-corporate-america (10 Sep 2021) Wide-Ranging SolarWinds Probe Sparks Fear in Corporate America (Reuters.com)]

In July 2022 SessionManager, a malicious module hosted by IIS (installed by default on Exchange Servers), was discovered to have infected Exchange Servers since March 2021; SessionManager searches memory for passwords, and downloads new modules, to hijack the server.Dan Goodin [https://arstechnica.com/information-technology/2022/06/microsoft-exchange-servers-worldwide-hit-by-stealthy-new-backdoor/ (30 Jun 2022) Microsoft Exchange servers worldwide hit by stealthy new backdoor]

Mandiant, a security firm, has shown that nation-state-sponsored groups, once they have gained access to corporate clouds, can now exploit Security assertion markup language (SAML), to gain federated authentication to Active Directory and similar services, at will.{{efn| name= goldenSaml | [https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps Shaked Reiner (12-11-2017) Golden SAML: Newly Discovered Attack Technique Forges Authentication to Cloud Apps] as cited by MandiantDan Goodin [https://it.slashdot.org/story/21/12/06/2345238/solarwinds-hackers-have-a-whole-bag-of-new-tricks-for-mass-compromise-attacks (6 Dec 2021) SolarWinds Hackers Have a Whole Bag of New Tricks For Mass Compromise Attacks ] }} Once the attackers gain access, they are able to infiltrate any information or assets belonging to the organization. This is because this technique allows attackers to pose as any member of the targeted organization.{{Cite web |title=Golden SAML Revisited: The Solorigate Connection |url=https://www.cyberark.com/resources/threat-research-blog/golden-saml-revisited-the-solorigate-connection |access-date=2023-05-02 |website=www.cyberark.com |language=en}} These attacks are progressively becoming more desirable to malicious actors as companies and agencies continue to move assets to cloud services.{{Cite web |title=Detection And Hunting Of Golden SAML Attack |url=https://blog.sygnia.co/detection-and-hunting-of-golden-saml-attack |access-date=2023-05-02 |website=blog.sygnia.co |date=21 July 2021 |language=en}}

In 2020, SolarWinds was subject to what is described as the first documented Golden SAML attack, often referred to as "Solorigate". A malicious actor infected the source code of a software update with a backdoor code made to look legitimate.{{Cite web |last=Goud |first=Naveen |date=2021-01-07 |title=What is Solorigate |url=https://www.cybersecurity-insiders.com/what-is-solorigate/ |access-date=2023-05-02 |website=Cybersecurity Insiders |language=en-US}} Customers began installing the faulty update to their systems, ultimately affecting over 18,000 individuals globally. The attack affected a number of United States government agencies and private sector agencies as well.

{{Main|Colonial Pipeline ransomware attack}}

In May 2021, a ransomware attack on Colonial Pipeline forced a temporary shutdown of a major fuel distribution network, disrupting the supply of gasoline, diesel, and jet fuel to the U.S. East Coast. The Biden administration invoked emergency powers to prevent shortages, while experts described the incident as the worst-ever cyberattack on U.S. infrastructure. The attack, attributed to the Russian-linked cybercriminal group DarkSide, raised concerns about vulnerabilities in critical energy systems, as fuel traders sought alternative supply routes and fears of price spikes emerged.{{Cite web |date=10 May 2021 |title=US invokes emergency powers after cyber-attack on fuel pipeline |url=https://www.theguardian.com/us-news/2021/may/10/us-invokes-emergency-powers-after-cyberattack-shuts-crucial-fuel-pipeline |access-date=28 February 2025 |website=The Guardian}}

On June 16, 2021, President Biden stated to President Putin that cyberattacks on 16 critical infrastructure sectors were off-limits and said that the U.S. would respond to future cyber threats.{{Cite web |date=3 July 2021 |title=Massive Ransomware Attack May Impact Thousands of Victims |url=https://finance.yahoo.com/news/massive-ransomware-attack-hit-more-142607052.html |access-date=28 February 2025 |website=Yahoo Finance (Bloomberg)}} The 16 critical infrastructure sectors, as designated by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), include energy, food and agriculture, emergency services, healthcare, and other essential industries such as financial services, communications, and transportation systems.{{Cite web |title=Critical Infrastructure Sectors |url=https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors |access-date=28 February 2025 |website=U.S. Cybersecurity and Infrastructure Security Agency (CISA)}}

In March, 2023, the voice and video chat app 3CX Phone System was thought to have been subject to a supply chain attack due to detection of malicious activity on the software. The app is used in a wide variety of industries from food to automotive and an attack has the potential to impact hundreds of thousands of users worldwide.{{Cite web |last=Paganini |first=Pierluigi |date=2023-04-04 |title=3CX Supply chain attack allowed targeting cryptocurrency companies |url=https://securityaffairs.com/144411/apt/3cx-supply-chain-attack-cryptocurrency.html |access-date=2023-05-02 |website=Security Affairs |language=en-US}} The malware infects the host device through the installation process, acting as a Trojan horse virus spread through both Mac OS and Microsoft installers. They employed an infostealer through a malicious payload that connected to a C2 server controlled by the threat actor.{{Cite web |title=Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack |url=https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/ |access-date=2023-05-02 |website=securelist.com|date=3 April 2023 }}

The attack utilized the Gopuram backdoor, originally discovered by the Russian cybersecurity company Kaspersky in 2020. The use of this backdoor suggested that the attack was executed by the North Korean cybercrime group known as Lazarus due to their use of this same backdoor in a 2020 attack against a South Asian cryptocurrency company. The Gopuram backdoor has been utilized in other past attacks against cryptocurrency agencies, which Lazarus has been known to target.

In July 2023, Chinese state-sponsored hackers targeted the United States Department of State, hacking several government employees' Microsoft email accounts, which gave them access to classified information. They stole information from about 60,000 emails from several Department of State employees.{{Cite web |last=Lyngaas |first=Sean |date=2023-09-28 |title=Chinese hackers stole 60,000 emails from senior State Department officials in May {{!}} CNN Politics |url=https://www.cnn.com/2023/09/28/politics/china-hackers-state-department-emails-senate-briefing/index.html |access-date=2024-12-02 |website=CNN |language=en}} Department of State officials have stated that the information stolen includes "victims' travel itineraries and diplomatic deliberations".{{Cite web |date=2023-09-27 |title=Chinese hackers nab 60,000 emails in State Department breach |url=https://www.politico.com/news/2023/09/27/chinese-hackers-nab-60-000-emails-in-state-department-breach-00118547 |access-date=2024-12-02 |website=POLITICO |language=en}} If used in a malicious manner, this information could be used to monitor important government officials and track United States communications that are meant to be confidential. The Department of State hack occurred due to vulnerabilities in Microsoft Exchange Server, classifying it as a supply-chain attack.

{{main|XZ Utils backdoor}}

In March 2024, a backdoor in xz/liblzma in XZ Utils was suspected,{{cite web|url=https://www.openwall.com/lists/oss-security/2024/03/29/4|title=backdoor in upstream xz/liblzma leading to ssh server compromise|last=Freund|first=Andres|date=2024-03-29|publisher=oss-security mailing list}} with malicious code known to be in version 5.6.0 and 5.6.1. While the exploit remained dormant unless a specific third-party patch of the SSH server is used, under the right circumstances this interference could potentially enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely.{{Cite web |title=Urgent security alert for Fedora 41 and Rawhide users |url=https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users |access-date=2024-03-29 |website=www.redhat.com |language=en}}

The list of affected Linux distributions includes Debian unstable,{{Cite web |title=CVE-2024-3094 |url=https://security-tracker.debian.org/tracker/CVE-2024-3094 |access-date=2024-03-30 |website=security-tracker.debian.org}} Fedora Rawhide,{{Cite web |title=Urgent security alert for Fedora 41 and Fedora Rawhide users |url=https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users |access-date=2024-03-30 |website=www.redhat.com |language=en}} Kali Linux,{{Cite web |date=2024-03-29 |title=All about the xz-utils backdoor {{!}} Kali Linux Blog |url=https://www.kali.org/blog/about-the-xz-backdoor/ |access-date=2024-03-30 |website=Kali Linux |language=English}} and OpenSUSE Tumbleweed.{{Cite web |date=2024-03-29 |title=openSUSE addresses supply chain attack against xz compression library |url=https://news.opensuse.org/2024/03/29/xz-backdoor/ |access-date=2024-03-30 |website=openSUSE News |language=en}} Most Linux distributions that followed a stable release update model were not affected, since they were carrying older versions of xz.{{cite web |last1=James |first1=Sam |title=xz-utils backdoor situation |url=https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 |website=Gist |language=en}} Arch Linux issued an advisory for users to update immediately, although it also noted that Arch's OpenSSH package does not include the common third-party patch necessary for the backdoor.{{Cite web |title=Arch Linux - News: The xz package has been backdoored |url=https://archlinux.org/news/the-xz-package-has-been-backdoored/ |access-date=2024-03-30 |website=archlinux.org}} FreeBSD is not affected by this attack, as all supported FreeBSD releases include versions of xz that predate the affected releases and the attack targets Linux's glibc.{{Cite web |title=Disclosed backdoor in xz releases - FreeBSD not affected |url=https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html |access-date=2024-03-30}} 

On October 31st, 2024, cybersecurity researchers from several security firms such as Phylum, Socket, and Checkmarx detected an attack on users of the open-source Node Package Manager (NPM) library. Unidentified attackers published more than 287 packages in an attempt to trick users of the platform into downloading malicious code.{{Cite web |date=2024-10-31 |title=Fake Puppeteer Packages Contain Malware |url=https://blog.phylum.io/supply-chain-security-typosquat-campaign-targeting-puppeteer-users/ |access-date=2025-02-27 |website=Phylum Research |language=en}} The attack used a technique called typosquatting, which copies the names of legitimate packages closely, tricking unsuspecting developers into accidentally downloading the wrong one. For the package Fetch-mock-jest, the attacker rearranged the order of the words and misspelled the word fetch creating the name "jest-fet-mock". Based on the kind of packages mimicked, researchers believe this attack widely targeted software developers using NPM. Packages targeted are mostly mock HTTP requests and cryptocurrency-related, including Puppeteer, Bignum.js, and Fetch-mock-jest, which are mainly used in development environments.{{Cite web |title=npm_ethereum_smart_contracts_campaign |url=https://gist.github.com/masteryoda101/d4e90eb8004804d062bc04cf1aec4bc0 |access-date=2025-02-27 |website=Github |language=en}}{{rs|date=February 2025}}

Phylum researchers noted that these typosquatted packages seemed normal at first glance, but upon closer inspection, they contained obfuscated code that could not be understood. After de-obfuscating the code, researchers found that after the malicious package is mistakenly downloaded it automatically runs a script that interacts with an Ethereum smart contract to retrieve the IP addresses of the command and control server (C2) used by the attackers. The script then identifies the operating system used by the victim machine and downloads compatible malware from the IP address it received from the contract. This malware maintains persistent communication with the attacker's C2 server, periodically leaking the user's system information such as the operating system version, GPU, CPU, the amount of memory on the machine, and username.  

Checkmarkx researcher Yahud Gelb explains that if researchers attempt to take down a C2 server at a specific IP address, the attacker can just update the Ethereum contract so that it returns a different address. When describing the mechanism behind the contract he wrote: "Think of a smart contract on the Ethereum blockchain as a public bulletin board – anyone can read what's posted, but only the owner has the ability to update it". This complicates the issue because the malware can always query the smart contract to update the stored address of the C2 server in case the current one has been taken down by authorities.

Researchers worried that several companies' software development supply chains can be put at risk when attackers typosquat them. They elaborate that the untraceable nature of the attack combined with its precisely engineered methods of persistence only adds to the looming threat. Furthermore, company employees usually have elevated system privileges and access to CI/CD pipelines when using development environments, further endangering the company's and their customer's data. They warned that developers who use npm packages like the ones above at any stage of the software development lifecycle must take caution and implement robust dependency scanning before performing any installations.{{Cite web |title=Massive npm Malware Campaign Leverages Ethereum Smart Contra... |url=https://socket.dev/blog/massive-npm-malware-campaign-leverages-ethereum-smart-contracts |access-date=2025-02-27 |website=Socket |language=en-US}}

There is little to no information on the attackers' identity or their motive. However, researchers did find error messages written in Russian within the de-obfuscated code of the malicious packages, but they speculate that this could be a misdirect set up by the real culprits trying to throw off any suspicions. Phylum, Checkmarx, and Socket researchers brought to attention the ever-evolving nature of supply chain attacks, and how threat actors have had to continuously come up with creative ways to subvert detection of the servers under their control, highlighting the importance of double-checking any dependencies downloaded during the development phase of a project.

On 12 May 2021, Executive order 14028 (the EO), Improving the nation's cybersecurity, tasked NIST as well as other US government agencies with enhancing the cybersecurity of the United States.[https://www.nist.gov/news-events/news/2021/07/nist-delivers-two-key-publications-enhance-software-supply-chain-security (11 July 2021) NIST Delivers Two Key Publications to Enhance Software Supply Chain Security Called for by Executive Order] On 11 July 2021 (day 60 of the EO timeline) NIST, in consultation with the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB), delivered '4i': guidance for users of critical software, as well as '4r': for minimum vendor testing of the security and integrity of the software supply chain.

• {{anchor|11Jul2021}}Day 30: solicit input[https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/workshop-and-call-position-papers NIST (2-3 Jun 2021) Workshop and Call for Position Papers on Standards and Guidelines to Enhance Software Supply Chain Security] 1400 participants, 150 position papers
• {{anchor|11Jun2021}}Day 45: define 'critical software'[https://www.nist.gov/system/files/documents/2021/06/25/EO%20Critical%20FINAL_1.pdf NIST (25 Jun 2021) Definition of Critical Software Under Executive Order (EO) 14028] another NIST source: EXECUTIVE ORDER 14028, IMPROVING THE NATION'S CYBERSECURITY task 4g [https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/critical-software-definition (26 Jun 2021) Critical Software Definition]
• {{anchor|11Jul2021}}Day 60: EO task 4i, 4r: user guidance, and vendor testing
• {{anchor|8Nov2021}}Day 180: EO task 4c: guidelines for enhancing supply chain software security
• {{anchor|6Feb2022}}Day 270: EO task 4e, 4s, 4t, 4u: guidelines for enhancing supply chain software
• {{anchor| 8May2022}}Day 360: EO task 4d: guidelines for review and update procedures of supply chain software
• {{anchor| 13May2022}}Day 365: EO task 4w: summary support of the pilot

The Comprehensive National Cybersecurity Initiative and the Cyberspace Policy Review passed by the Bush and Obama administrations respectively, direct U.S. federal funding for development of multi-pronged approaches for global supply chain risk management.{{Cite web|url = https://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf|archive-url = https://web.archive.org/web/20090530021316/http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf|archive-date = 2009-05-30|title = Cyberspace Policy Review|access-date = 2015-10-29|publisher = White House}}{{Cite web|title = The Comprehensive National Cybersecurity Initiative|url = https://obamawhitehouse.archives.gov/issues/foreign-policy/cybersecurity/national-initiative|website = The White House|access-date = 2015-10-29}} According to Adrian Davis of the Technology Innovation Management Review, securing organizations from supply chain attacks begins with building cyber-resilient systems.Davis, A. (2015). Building cyber-resilience into supply chains. Technology Innovation Management Review, 5(4), 19-27. Retrieved on 29-10-2015 Supply chain resilience is, according to supply chain risk management expert Donal Walters, "the ability of the supply chain to cope with unexpected disturbances" and one of its characteristics is a company-wide recognition of where the supply chain is most susceptible to infiltration. Supply chain management plays a crucial role in creating effective supply chain resilience.Waters, D. 2011. Supply Chain Risk Management (2nd ed.). London: Kogan Page. Accessed 29-10-2015

In March 2015, under the Conservative and Liberal democratic government coalition, the UK Department for Business outlined new efforts to protect SMEs from cyber attacks, which included measures to improve supply chain resilience.{{Cite web|title = Cyber security insurance: new steps to make UK world center - Press releases - GOV.UK|url = https://www.gov.uk/government/news/cyber-security-insurance-new-steps-to-make-uk-world-centre|website = www.gov.uk|access-date = 2015-10-30}}

The UK government has produced the Cyber Essentials Scheme, which trains firms for good practices to protect their supply chain and overall cyber security.{{Cite web|title = Cyber Essentials - OFFICIAL SITE|url = https://www.cyberstreetwise.com/cyberessentials/|website = www.cyberstreetwise.com|access-date = 2015-10-30}}{{Cite web |date=2021-11-05 |title=Supply Chain Attacks: 6 Steps to protect your software supply chain |url=https://blog.gitguardian.com/supply-chain-attack-6-steps-to-harden-your-supply-chain/ |access-date=2023-09-05 |website=GitGuardian}}

The Depository Trust and Clearing Group, an American post-trade company, in its operations has implemented governance for vulnerability management throughout its supply chain and looks at IT security along the entire development lifecycle; this includes where software was coded and hardware manufactured.Hoover, J. N. (2009). Secure the cyber supply chain. InformationWeek, (1247), 45-46,48,50,52. Retrieved from 2015-10-29

In a 2014 PwC report, titled "Threat Smart: Building a Cyber Resilient Financial Institution", the financial services firm recommends the following approach to mitigating a cyber attack:

"To avoid potential damage to a financial institution's bottom line, reputation, brand, and intellectual property, the executive team needs to take ownership of cyber risk. Specifically, they should collaborate up front to understand how the institution will defend against and respond to cyber risks, and what it will take to make their organization cyber resilient.{{cite web | title=Threat smart: Building a cyber resilient financial institution | publisher=PwC | work=FS Viewpoint | date=October 2014 | url=https://www.pwc.com/us/en/financial-services/publications/viewpoints/assets/pwc-cyber-resilient-financial-institution.pdf | access-date=4 June 2020}}

FireEye, a US network security company that provides automated threat forensics and dynamic malware protection against advanced cyber threats, such as advanced persistent threats and spear phishing,{{Cite web|title = Advanced Cyber Security - Stop Cyber Attacks {{!}} FireEye|url = https://www.fireeye.com/company.html|website = FireEye|access-date = 2015-10-30}} recommends firms to have certain principles in place to create resilience in their supply chain, which includes having:{{Cite journal |last1=Xuan |first1=Cho Do |last2=Duong |first2=Duc |last3=Dau |first3=Hoang Xuan |date=2021-06-21 |title=A multi-layer approach for advanced persistent threat detection using machine learning based on network traffic |journal=Journal of Intelligent & Fuzzy Systems |volume=40 |issue=6 |pages=11311–11329 |doi=10.3233/jifs-202465 |s2cid=235815012 |issn=1064-1246}}

• A small supplier base: This allows a firm to have tighter control over its suppliers.
• Stringent vendor controls: Imposing stringent controls on suppliers in order to abide by lists of an approved protocols. Also conducting occasional site audits at supplier locations and having personnel visiting the sites on a regular basis for business purposes allows greater control.
• Security built into design: Security features, such as check digits, should be designed into the software to detect any previous unauthorized access to the code. An iterative testing process to get the code functionally hardened and security-hardened is a good approach.{{Cite web|url = https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-best-practices-in-cyber-supply-chain-risk-management.pdf|title = BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT|access-date = 2015-10-30}}

On 27 April 2015, Sergey Lozhkin, a Senior Security Researcher with GReAT at Kaspersky Lab, spoke about the importance of managing risk from targeted attacks and cyber-espionage campaigns, during a conference on cyber security he stated:

"Mitigation strategies for advanced threats should include security policies and education, network security, comprehensive system administration and specialized security solutions, like... software patching features, application control, whitelisting and a default deny mode."{{Cite web|title = Kaspersky Lab and EY Warn Organizations to Get Prepared for Cyberthreats {{!}} Kaspersky Lab|url = http://www.kaspersky.com/about/news/virus/2015/Kaspersky_Lab_and_EY_Warn_Organizations_to_Get_Prepared_for_Cyberthreats|website = www.kaspersky.com|access-date = 2015-10-30}}

• Advanced persistent threat
• Cyber-attack
• Dependency hell
• Watering hole attack

{{Notelist}}

{{Reflist}}

• [https://www.wired.com/2009/06/new-atm-malware-captures-pins-and-cash/ New ATM Malware Captures PINs and Cash — Updated] – Wired

Category:Cryptographic attacks