Microsoft reported last week that the Nobelium group (also known as APT29), the Russian-based threat group behind the SolarWinds software supply chain attack discovered in December 2020, struck again with another large-scale supply chain attack impacting 3,000 email accounts at over 150 organizations worldwide.
As in the SolarWinds event, the group executed a series of escalating attacks that spanned months. From January to May of this year, the hacker group targeted Constant Contact, an email marketing vendor, to gain access to an account held by the United States Agency for International Development (USAID), in order to craft spear phishing emails to targeted entities containing malware called NativeZone with the aim of exfiltrating data from the victim’s network.
Supply chain cyber attacks, though not new in the cyber threat landscape, have risen in frequency and severity over the past year as financially motivated and nation-state threat actors have successfully attacked a large number of private sector and government organizations.
Other notable recent events include:
Supply chain cyber attacks are those in which threat actors target a company’s third party vendor, contractor, or supplier in order to gain access, cause disruption, or achieve specific attack objectives.
When the third party is a company that represents a critical part of the supply chain with many interconnected and dependent entities, such as SolarWinds or Constant Contact, they can be considered a Single Point of Failure (SPoF), with the potential for large scale and catastrophic impacts.
SPoFs are attractive to attackers because they provide multiple benefits, that may include:
- access at scale to assets or infrastructure that is highly coveted by threat actor groups, such as large - scale financial or sensitive data storage
- a wide footprint of global enterprise customers that use a single product or service, such as leading email or software providers
- a disruption opportunity that will set off a cascading chain of events to impact many entities, such as leading cloud or DNS providers
In this case, Nobelium was able to achieve two out of the three benefits in each attack by abusing trusted existing infrastructure to achieve aims against a footprint of specific government and private sector targets of interest.
The repeated success of threat actor groups such as Nobelium to conduct fruitful, large-scale supply chain attacks is one indicator that the cyber supply chain threat continues to pose elevated risk to companies and insurers. When considered alongside the rise of the “as-a-service” economy in both business and threat actor arenas, the increased interdependencies brought about by the trend towards a global remote workforce, and the expanding digital attack surface as internet of things (IoT) devices, mobile endpoints, and operational technologies (OT) are increasingly integrated into enterprise networks, it is clear that a reliable approach to quantifying the SPoF risk is necessary.
CyberCube’s Portfolio Manager’s upcoming version 3 update offers just such a solution to quantify the nature of this aggregated cyber risk due to supply chain threats.
When paired with the recently published report Building Blocks of a Catastrophe Scenario, CyberCube customers will be able to tie real-world cyber incidents, such as the SolarWinds and Microsoft Exchange attacks, to the six major supply chain cyber threats. Customers can then map those threats to the 29 cyber catastrophe scenario classes modeled in Portfolio Manager along with describing key risk areas and financial loss components that result from these attacks.
For instance, although the Nobelium group perpetrated two major supply chain cyber attacks over the span of a year with similar goals, the attacks actually fall into two of the specific supply chain attack types described in the report:
- Product Tampering: when a product is altered to be faulty, have malicious code, or cause other damages
- Business Email Compromise: when supplier domains are compromised or mimicked for targeted phishing attacks.
These “sister” attack types, while similar in impact, took different paths to success. During the SolarWinds attack, Nobelium injected malicious code into the Orion IT management product to plant SUNBURST malware inside customers' networks, while in the Constant Contact attack, the attackers sent targeted phishing emails to USAID customers with Native Zone malware. When looking to mitigate the risk of supply chain attacks, it is important for businesses and insurers to focus on implementing controls and mitigations around a few key areas of risk, as well as investing in response and recovery tools and plans that can cover attacks falling into these six major types of supply chain scenarios. For example, security logging and monitoring for early attack detection were critical for the SolarWinds attack, while strong email authentication mechanisms and employee phishing training were primary lines of defense for the Constant Contact attack.
The successful espionage and data exfiltration objectives of the two attacks mean that the areas of financial loss for businesses in both attacks will be concentrated around the investigation, response, recovery and customer notification costs, as well as the legal liabilities that come with exposed data and secrets.
While the fallout of the SolarWinds and Constant Contact attacks still remain to be seen, it is clear that the (re)insurers that are better able to identify these potential supply chain impacts to their books of business will not only be able to quantify their book’s cyber supply chain risk more reliably, but more effectively manage and optimize their portfolio.
To learn more about how past cyber attacks have affected the supply chain and how you can better quantify risk, download our free report — Building Blocks of a Catastrophe Scenario.