How Vulnerable Are You to a Supply Chain Attack?
Think you’re prepared for a supply chain attack?
Do you have a dedicated DevOps team? Discriminating access controls? Regular security audits? That’s all great — but none of it matters.
When it comes to supply chain attacks, all that matters is this: Who else has your data?
The biggest supply chain risk is SaaS itself
Gartner predicts that in 2025, “45% of organizations globally will have been victims of software supply chain attacks, marking a threefold increase from 2021.”
That’s largely because the SaaS ecosystems most of us rely on are only getting more complex and interconnected. Your organization might not use a particular piece of questionable open-source software, but the service provider who performs data analytics for you might. Just logging into an app could expose you to an invisible third-party software vendor like Okta (who reported another major data breach in November 2023).
In the modern SaaS model, you’re a link in a data daisy chain connecting you to your vendor’s vendor’s vendor. Each of these links becomes a new attack surface.
If you think your organization’s data security is strong, the chances are you’re connected to an organization whose data security isn’t.
Malicious actors won’t have to get through you to get to your data… they just have to get through them.
And that means, sometimes, your data security might literally be out of your control.
“The Great SaaS Data Exposure,” a damning report by the data security company Varonis puts things into perspective. They discovered that “the average company has an alarming amount of sensitive data exposed not only to all employees, but in many cases, to the entire internet. It’s a data-breach crisis waiting to happen.”
Case study: Fortra
At the beginning of 2023, NationsBenefits, US Wellness, Community Health Systems, and 127 other organizations experienced massive concurrent data breaches. Millions of their members, patients, and customers were affected.
Hackers didn’t have to attack them all. In fact, their target was just one company — Fortra, a SaaS cybersecurity firm (ironically).
These organizations had all been using compromised Fortra-hosted file-transfer software. Unbeknownst to them, for three days between January 28th and January 30th, their files were being intercepted by Clop, an Eastern European hacker gang.
At least two of the companies affected by the hack told TechCrunch that Fortra initially downplayed the extent of the breach, allegedly going so far as to claim their data was completely safe. They only realized that wasn’t true when Clop itself reached out to them demanding a ransom.
NationsBenefits was by far the hardest-hit company. Over 3 million of its members were impacted.
Since then, multiple class-action lawsuits have been filed against Fortra and its hacked customers (by their customers).
Fortra continues to publish cybersecurity tips on its website.
There’s more than one kind of supply chain attack
Supply chain attacks, or vendor compromise, can take different forms depending on the expertise of those involved and how much access they have.
- Open-Source Attack:
In an open-source attack, threat actors will hide malicious code inside an open-source project. If your organization, or an organization in your supply chain, subsequently integrates that code into an app or software product, then you’re at risk.
The “openness” of open source can help defenders spot “bad code,” but it also means attackers can closely examine it to find the optimal vectors of attack. Plus, they don’t even have to “gain access” in the traditional sense.
Nation-states and government agencies are keenly aware of this, and countries like China, Russia, and North Korea have all been accused of various open-source attacks.
One of the most recent and high-profile examples of this occurred in 2023, when a North Korea-backed cybergang called the Lazarus Group was accused of distributing tainted open-source code through the Python package repository, PyPi.
- Software Supply Chain Attack:
A software supply chain attack occurs when hackers exploit security vulnerabilities in a third-party vendor’s software to launch a simultaneous attack on some (or all) of its customers. This can include open-source attacks, but it’s usually achieved through sophisticated social engineering hacks or by directly altering proprietary software.
We’ve talked about Fortra, but an even bigger breach happened in 2020 when software supply chain attackers targeted SolarWinds. Hackers infiltrated the company’s systems and added a backdoor to its monitoring and management software, Orion. The scale of this breach was staggering, affecting 18,000 customers (remember, the Fortra breach only affected 130 of its clients), including the Department of Homeland Security.
The SolarWinds attack remains one of the most prominent examples of vendor compromise in recent times.
- Hardware Supply Chain Attack:
Hardware supply chain attacks are, perhaps, the most advanced form of vendor compromise. This is when attackers modify actual physical components like microchips or USB flash drives to create secret access for themselves, install malware, or simply “break” the hardware. This kind of attack can be especially difficult to detect before it’s too late.
One of the most infamous examples of this is when the controversial whistleblower Edward Snowden leaked documents that showed the National Security Agency (NSA) had intercepted Cisco routers en route to foreign governments to embed surveillance tools.
How will your SaaS fare against advanced cyber threats?
Can you avoid all of this? Well, you could abandon the SaaS model and all of your third-party vendors and start building everything yourself…
But that’s probably not an option. Even if it was, it probably wouldn’t be the right option. It’s difficult to imagine modern software development (modern business altogether) without SaaS and the cloud. There’s a reason it’s all so pervasive (it’s all so useful).
The real solution is to be more selective about the SaaS you use in the first place. Find technology platforms and partners that prioritize your control.
Onymos Founder and CEO Shiva Nathan said the “SaaS model as it is in 2024 needs to be completely rebuilt. The way SaaS is supposed to work is that you pay money to receive service. Somewhere, something went wrong. Worldwide, folks pay money and data to receive service. We need to remove the ‘and data’ part from the SaaS model.”
And that’s why Onymos does SaaS differently. We license the source code for all of our software, and there are no Onymos clouds or stopover servers that give us access to any of your data.
If you need to build more secure software, get in touch with our team. Whether it’s for the Internet of Things (IoT), intelligent document processing (IDP), or something else entirely — we can help.