One of the most fatal mistakes an organization can make is thinking cyber attackers are the same caliber of criminal as the juvenile delinquents shoplifting and asking for cigarettes at the local mall. Sure, some hackers are just as pathetic, but these aren’t the ones your business (should) need to worry about. With this in mind, for the rest of this post, let’s pretend the bottom-feeders never learned how to ‘code’ (read: use google).
Cyber attackers are smart. They understand how businesses operate and they place an enormous value on the intelligence they gather in preparation for an attack. There are thousands of forums where this information is shared, and some of the subject matter may surprise you – such as why cybercriminals seem to have a penchant for supply and logistics.
Let’s say you’re a large multi-national and you’ve just spent millions on the shiniest pieces of cyber security kit. Once installed, you might sit back in the boardroom, sipping contentedly on flat-white-with-one, smugly confident that the digital walls you’ve built around your empire are completely impenetrable.
Oh sweet summer child, you couldn’t be more wrong…
Not only are hackers smart, they’re also economical – this is a potent combination. Cyber warfare has no rules of engagement, no concept of honour and the path of least resistance is the most favored route.
Hackers know there’s little point trying to attack you through the front door, especially when you’ve left the back door ajar. Why would they waste the resources and effort mounting an attack against your alabaster walls when your supply chain is filled with smaller vendors who’s credentials are much easier to steal – credentials that can be used to bypass your defenses.
Attacking smaller organizations in the target business’ supply chain is becoming more prevalent as the big end of town fortifies its defenses. Below are just a few examples of how this strategy has been used to devastating effect.
In 2014, retail giant Target was a victim of this supply chain hacking. A hacker obtained the details of 70 million customers and 40 million credit card holders by infiltrating a refrigeration and air condition supplier, then using their credentials to get to Target. This attack would have been extremely difficult to defend against as, technically, there was no actual breach. Despite this, there could have been steps taken to prevent this catastrophe; two-factor authentication is one such measure. Two-factor authentication is a procedure that requires a user verify their identity twice before accessing data or a secure location. Most commonly, it is a combination of a strong password and a unique code sent to a predetermined mobile number. This prevents hackers who get a hold of credentials from using them to access to private information as they would also need to get their hands on the mobile phone linked to those user details.
The tactic is so successful, one group has been honing the skill since 2009. The group, APT10, is a hacking collective who target third-party IT support companies, favouring phishing emails that install malware on these organization’s devices. From there, APT10 masquerades as the IT company and requests information or direct access to client servers. Once established, they have easy access to the private information of whichever company they were targeting. The victim usually has no idea they have been attacked since, from their perspective, they just gave their IT service company remote access as they’ve done so 100 times before.
Supply chain hacking extends beyond the business world and into the realms of glitter, gossip and Grammys. In December 2016, hackers impersonated an executive at Interscope Records and sent an email to September Management and Cherrytree Music Company, a music management business and record company, requesting Lady Gaga’s stem files. These files are the rough draft of a song before it is edited and mastered. Just like that, the files were sent over and the hacker released them before they were supposed to come out. As you can imagine, this caused the companies to lose a lot of money.
Ultimately, everyone is susceptible to supply chain hacking since it is perceived that we are sending information to someone we trust.
There is, however, one variety of supply chain hacking that is clearly the most popular – targeting Point of Sale (POS) vendors. Hackers infiltrate these POS vendors and install malware on all their POS systems. When the POS vendor then installs these machines, they automatically send the credit card information to the hackers during each and every transaction.
This was the case for Jimmy Johns in 2014. More than 200 Jimmy Johns restaurants were affected, with the PoS malware stealing customer credit card information. Once Jimmy Johns became aware of the situation, they immediately removed the malware, but unfortunately it was too late for many of their customers.
Businesses can’t afford blind trust when it comes to suppliers – as the old adage goes, it is better to be safe than sorry. For example, when getting new systems installed (such as PoS) a good idea is to have them checked for malware before being installed. It may be expensive, but the cost does not even come close to the expense of having thousands of customers’ credit card information stolen.
The reason supply chain hacking is common place is because it is successful. The reason it is successful, is because organizations view their defenses as a fortress and complacency’s sweet embrace causes business leaders to drop their guard.
By being aware of the threat, businesses can question any suspicious correspondence from suppliers and implement tools such as two-factor authentication. It’s also critical to check any hardware you buy from vendors before you install them – after all, you wouldn’t let a large wooden horse through your castle doors would you?