Protecting and managing cyber attacks that come from, or affect, your supply chain is a continually evolving challenge in today’s digital world. In fact, 60% of Australian executives believe third- and fourth-party threats will affect their industry in the next 12 months.
Digitisation has led to increasingly sophisticated business models, with a heavier reliance on supply chains - and a larger sphere of interconnectedness. Those supply chains are facing acute disruption, with the pandemic and recent geopolitical events adding increased instability and volatility to supply chains globally.
At the same time, ransomware attacks have become increasingly sophisticated, with threat actors more commonly targeting supply chains to maximise impact by threatening the entire ecosystem of an organisation - impacting not just one business, but many. The result has been ships becoming stuck at ports, workforce shortages, empty shelves at grocery shops, out of stock medicinal supplies and more.
Supply chains as a vector for compromise
The prevalence of state-sponsored actors attacking supply chains as a means to gain access to critical infrastructure and other high value targets is not new, but it’s a tactic that has increasingly been adopted by cybercrime groups. Some prominent attacks include:
Kaseya July 2021
Kaseya’s software is used by direct customers and Managed Service Providers (MSPs) to manage IT infrastructure.
What happened?
Software vulnerabilities allowed threat actors to deploy ransomware into Kaseya’s environment. Threat actors leveraged the access Kaseya maintained to their clients' infrastructure to deliver ransomware attacks into their environments.
Direct or indirect compromise?
Direct:
Using Kaseya’s software, the threat actors spread ransomware via MSPs to their customers. Kaseya’s direct customers were impacted by ransomware on their networks.
Supply Chain impact
As a result of this attack, a Swedish supermarket chain’s point of sale facilities were taken offline. Eight hundred stores across the country remained closed for days after the attack while infrastructure was restored. This is one of the most impactful examples of how a ransomware attack can affect people's ability to access basic human resources such as food.
The attack is estimated to have affected up to 1,500 organisations globally and cost tens of millions of dollars.The hard-hitting impact of these campaigns show how devastating supply chain attacks can be to organisations.
Ransomware operators are indiscriminate in their targeting, and can affect organisations globally.
SolarWinds December 2020
SolarWinds is a software company which provides system management tools for technology infrastructure monitoring.
What happened?
Threat actors placed malicious code into SolarWinds’ ‘Orion’ software system. The malicious software was subsequently downloaded by customers as an update, providing the threat actors with access to their organisational networks.
Direct or indirect comprise?
Indirect:
SolarWinds customers who downloaded the software with malicious code were impacted. It is not made public how many organisations were targeted by the attack, but the malicious code allowed threat actors to communicate with and gain unauthorised access to customer networks.
Supply Chain impact
Potential backdoor access to hundreds of companies who use SolarWinds ‘Orion’ software, compromising network integrity.
Accellion 2021
Accellion is a technology company specialising in developing products to facilitate secure file sharing.
What happened?
Attackers were able to leverage vulnerabilities in an End-of-life product File Transfer Appliance (FTA), allowing them to exfiltrate customer data held in the product. Notably, these attacks occurred over a 2 month period from December to January 2021. Victim data was then posted on dark web leak sites linked to the attackers, coupled with a ransom demand.
Direct or indirect compromise?
Direct:
While the attackers initially targeted vulnerabilities in Accellions FTA product to access customer data, they later contacted victims directly in attempts to coerce Accellion into paying their ransom demand.
Supply Chain impact
Around 100 of the 300 FTA customers across the public sector, legal, healthcare and manufacturing industries were impacted by this attack. Accellion immediately shutdown the end of life FTA product and customers who utilised this platform were asked to pivot to newer products. Global law firms who utilised the FTA product had sensitive client documentation leaked online, and as a result suffered significant reputational damage.
As seen in incidents such as the Kaseya attack, the security of suppliers can be one of the biggest challenges facing organisations. With nearly every organisation either being a supplier or relying on suppliers to deliver their goods / services, this is an elevated and compounding area of risk with cascading effects across the supply chain.
Historically this type of multi-stage attack has been linked to large state-sponsored actors. We are now starting to see smaller cyber crime actors pivoting to this style of attack successfully.
These supply-chain threats are multi-faceted and you don’t need to have a managed service provider (MSP) running your network to be an area of risk. An outsourced business process supporting your internal functions can also be abused by ransomware threat actors. The recent Bunning's data breach is a good example, where a third-party company known as FlexBooker - who provide customers with appointment scheduling software (primarily used to support click and collect) - was targeted by attackers, with the aim of stealing Bunning's customer information. Other downstream businesses of FlexBooker also suffered compromises, and in some cases their consumers were found to have had the last 3 digits of their credit card information stolen.5
Organisations are experiencing an increase in attacks from connected third parties that store, host, transmit, or manage their data, and also from remote access mechanisms that are set up to enable third parties to perform their duties.
Ransomware impacts on your supply chain
Apart from being an area of compromise for an organisation, cyber issues can cause impacts to your business indirectly. Ransomware can render suppliers and service providers unable to fulfill their obligations to you for extended periods of time, as they work to restore services.
The key impacts of ransomware on your supply chain are:
Disruption to the delivery of goods / services to your key stakeholders:
A supply chain that’s not ransomware resilient can adversely impact your ability to do business and serve your customers. This year, Toyota was forced to cease all manufacturing across 14 of its plants in Japan due to a cyber attack on one of its suppliers.
Where an organisation is unprepared for such an attack, the impact on your supply chain can stretch from weeks to months, depending on the damage done. Considerations as to how you would continue to service your customers if a link in your supply chain was removed must be well understood in order to mitigate the associated risks.
An organisation that processes data on your behalf suffers a cyber attack:
Loss of sensitive data held by a third party as part of a cyber attack can have a number of impacts to a business. For organisations that rely on real-time (or near real-time) data to drive decision-making and outcomes (e.g. hospitals, mining services, etc), a loss of data can bring operations to a halt or significantly compromise the quality of outcomes. There are also regulatory and reputational impacts that need to be considered and the financial loss that can ensue from erosion of customer trust (e.g. if a supplier is handling sensitive patient data on behalf of a hospital as part of delivering services to the hospital).
Learnings from the Kaseya attack can be applied to ensure that resilience risk is not only considered from direct ransomware impact, but also indirect/flow-on impacts, where an attack to one organisation within the ecosystem may also halt the ability of related parties to perform their key services.
What can you do to manage these risks in your supplier ecosystem?
Know your third parties
This might sound simple but in reality, particularly in larger companies, it can be a challenge to build a view of your entire third party inventory. Traditional third party risk management practices may focus on managing ‘material’ vendors, i.e. those of financial significance to the organisation, rather than understanding which ones are critical to your operations or handling sensitive data. Often it will be your smallest third parties who present the largest cybersecurity risk to your supply chain.
Get the basics right
- Maintain full visibility of your third party relationships and understand which ones are key from an information security and resilience standpoint.
- Apply a risk-based approach to determine the relative risk of each third party relationship. Perform assessments (both at contract initiation and also ongoing) that are targeted to addressing these key risk areas.
- Identify key controls that should be in place to address key supplier cybersecurity risks and ensure these are in place through both contractual negotiations and ongoing assurance / validation. A one size fits all approach is not only costly but will not necessarily provide comfort in knowing that appropriate controls are in place to address the key risks to your organisation. Perform the right level of testing to ensure some of these key controls (e.g. authentication, user access, etc) are operating as expected.
- Determine key fourth party (and beyond) relationships and understand the importance of these relationships in terms of data security and resiliency to your organisation.
- Monitor and maintain the risk profile of your third parties by continuous assessment and oversight in order to be aware of changes in the threat profile. A once-off assessment is not enough.
- Ensure adequate reporting mechanisms including SLAs and notification requirements are in place relating to not only operational issues but also for cyber incidents and data breaches.
- Prepare for the “when”: Maintain incident playbooks and response plans that incorporate third party risk scenarios.
At PwC we understand that cyber incidents and managing these within a supply chain context require more than technical expertise. The rapid rise in destructive ransomware attacks and impacts to supply chains demands experts in readiness, crisis recovery of IT operations, cyber risk management and executive-level technical incident management to deliver an effective response.
That’s why our Incident Response & Supply Chain capability includes PwC experts from legal, procurement, crisis management and public & media relations, to help you tackle this challenge end-to-end.
With respect to incident response, we approach your response holistically to provide decision makers with a single view of facts with regular developments, risks and recommendations. This ensures that your entire business, not just your IT departments, emerge from incidents stronger and more resilient. Similarly from a supply chain risk management perspective we understand this is a “whole of business” issue that requires consideration of more than just cyber. As such, we work with your Procurement, Risk, Legal, and Security teams at a minimum, to ensure fit-for-purpose and scalable frameworks and solutions are developed and implemented.
How we helped a large corporation recover from a ransomware attack
PwC established a 24x7 response team, working with the client’s internal teams and vendors to contain, eradicate and recover from the attack.
PwC leveraged its global network to deliver 24-hour incident response support, which involved forensic acquisition and imaging, malware analysis and root cause analysis and investigation.
PwC provided a team of legal specialists to assist the client in responding to legal challenges arising from the ransomware incident, including cyber insurance, regulatory notifications across the global and other related legislative requirements.
PwC also provided executive level briefings and updates on the progress of the investigation.
PwC provided strategic and technical support in securely recovering impacted systems post-incident. PwC technical resources performed vulnerability assessments and malware scans to ensure that client systems were safely recovered.
1. https://www.pwc.com.au/ceo-agenda/ceo-survey/cyber-top-risk-to-business-growth.html
5. https://australiancybersecuritymagazine.com.au/bunnings-customer-data-compromised/
6. https://www.nytimes.com/2022/02/28/business/toyota-stoppage-cyberattack.html
Contact us
