In April 2017, PwC and BAE Systems released a report that investigated the activities of a Chinese advanced persistent threat (APT) actor, known as APT10 or Stone Panda (amongst other things).
The report assesses that this group’s primary technique is to target managed service providers (MSPs) as a pivot point to gain a foothold into the network of their clients. In other words, this threat actor is using the supply chain as the infection vector into their target’s environment.
The report goes into detail describing how Stone Panda breaches the MSP, traverses into the actual target’s environment, steals data, moves it back to the MSP, before extracting it to evade detection. This isn’t a new trend, but it highlights an often ignored vulnerability: that you are only as secure as the weakest part of your supply chain. Anywhere your network or critical data touches the supply chain – outsourced IT or otherwise – must be regarded as a legitimate attack vector.
It makes perfect sense from a threat actor’s perspective: why target one well-defended organisation (that offers just one dataset) when there are weaker points of entry in the supply chain, such as MSPs, that offer access to multiple datasets from multiple clients.
In the summer of 2013, the US retailer Target was the victim of a breach in which attackers managed to steal personal and credit card information belonging to millions of customers. Notably, attackers gained access credentials by targeting the heating, ventilation and air conditioning (HVAC) company contracted by Target.
From there, they exploited vulnerabilities in the Point-of-Sale (PoS) systems operated by Target in their stores, grabbing the details of every customer that bought anything with a card over the shopping season. Target faced $3.6 billion in liability costs.
The tactic of targeting the ‘soft underbelly’ of organisations through their supply chain is a threat to almost all industries. However, some are more likely to face this kind of attack than others.
Take the legal sector for example. Organisations entrust their legal representatives with their deepest darkest secrets during potential mergers or acquisitions. In March 2016, a Russian cybercriminal targeted roughly 50 major law firms with the intent of stealing merger and acquisition data, with the intent to exploit it for profit through insider trading.
Similarly, back in 2010, the proposal of a major merger between Potash Corporation of Saskatchewan and BHP Billiton naturally captured the attention of global players in the energy industry. It is alleged that Chinese hackers were targeting the legal firms representing the two sides to gain privileged insight into the deal, and potentially even derailing it (the deal broke down but there is no evidence to suggest that it was due to a cyber breach).
The underlying challenge of the supply chain as an intrusion vector is answering the question “Where is your data?”, and it’s deceptively complex to do so accurately. Rarely do organisations, especially large multinationals, know exactly where their most critical data is stored, who has access to it, and how exposed it is to external threats.
The level of outsourcing that many large organisations conduct, from HR and recruitment, to fully managed IT services, means that the identification of data and critical systems needs to occur much further outside the immediate corporate environment. It’s imperative for organisations to start thinking more holistically about risk – your perceived defence perimeter must include your supply chain, your MSPs, and all those that have user access to your network.
Based on the tactics, techniques and procedures (TTPs) of Stone Panda mentioned earlier, it is also important to consider how data is monitored as it leaves both yours and your supply chain’s network. As APT10 often extracts stolen data through the supply chain of an organisation, it is vital that organisations stress the importance of monitoring outbound data on their clients.
It is unrealistic for organisations to think that they can invest heavily in their own defences without considering the security of their supply chain. Ensuring a base level of security for your supply chain is likely to be a painstaking and complex process. An acceptable security posture for all elements of an organisation’s supply chain must be built into contractual agreements. As a minimum, this should include ensuring that third parties adopt standards such as Cyber Essentials (plus), and ISO27001.
To be more comprehensive in ensuring that your key supply chain members have a good level of security, penetration tests can be invaluable. These tests could involve simulated attack scenarios whereby an attack is played out that mimics what a threat actor, such Stone Panda, may do to breach the network through a supplier.
In addition to this, threat assessments should be considered. These assessments will look at the digital footprint of the organisation as well as its key suppliers, and map those against the most likely adversaries and their TTPs.
As a general rule, threat actors follow the path of least resistance, no matter how advanced they are. The supply chain often represents the easiest way into multiple target environments. Your suppliers are part of your attack surface, and you should adapt your defences accordingly.