Cyberattacks on the supply chain: major attacks and their impact
Cyberattacks on the supply chain are a serious threat to companies. Attackers exploit the vulnerabilities of business partners such as suppliers and service providers to gain access to other targets. In this article, we take a look at some of the most significant hacks of recent years and their impact. The examples illustrate the scope of such attacks and the need for risk assessment of third-party companies along the supply chain.
1. cyber attack on SolarWinds
The attack on SolarWinds is considered one of the most serious cyberattacks in recent history. Attackers infected the updates for the Orion platform at the provider of network management solutions with the Sunburst malware. The affected customers include companies such as Microsoft, Intel and Cisco as well as several US ministries and authorities, up to 18,000 customers in total. The consequences were serious: the hackers were able to access sensitive data and Microsoft's program code. The attack on SolarWinds cost companies in key sectors an average of % of their annual turnover. The attack was attributed to the Russian hacker group APT29, also known as Cozy Bear, and was discovered in December 2020.
Facts overview
- Affected customers:
Microsoft, Intel, Cisco, Deloitte, several US ministries and authorities, among others; up to 18,000 customers in total
- Attack path:
Hackers infected updates for SolarWinds' Orion network management platform with Sunburst malware
- In detail:
Installation of a backdoor on infected systems to take them over remotely. The attackers were able to access the user accounts of affected organizations and impersonate them
- Consequences:
Access to the network environment and program code at Microsoft; access to sensitive customer data
- Damage:
On average 11% of a company's annual turnover
2. Cyber attack on MOVEit
One serious attack affected the data transfer program MOVEit Transfer from Progress Software Corp, a US company based in Burlington. MOVEit is used worldwide by many companies and service providers, especially banks and insurance companies, for the exchange of sensitive data. Using a zero-day SQL injection vulnerability, the attackers were able to bypass security controls and gain access to the confidential data of over 62 million people, including medical information and social security numbers. Customers affected include British Airways, BBC, US government agencies, several major healthcare providers from around the world, the University of Georgia and Heidelberger Druck etc. - more than 2000 customers in total. The estimated damage amounted to around USD 9.9 billion. The hacker group CLOP is suspected of having carried out this attack in June 2023.
Facts overview
- Service provider:
Progress Software Corp.
- Affected customers:
British Airways, BBC, US authorities, PwC, EY, NYC public school system, among others; more than 2000 customers in total, including other service providers → cascading effect (see 3rd majorel)
- Attack path/technique:
Zero-day exploit of a SQL injection vulnerability that can be used for Remote Code Execution (RCE)
- In detail:
The zero-day vulnerability allowed attackers to remotely penetrate the MOVEit Transfer database without authentication and inject SQL commands to modify or delete critical database elements
- Consequences:
Over 62 million people affected; including access to sensitive personal data such as medical information and social security numbers
- Damage:
~9.9 billion USD (estimate)
3. Cyber attack Majorel Germany GmbH
As a result of the MOVEit hack, the Majorel Germany account switching service was hacked. Customers such as Barmer, ING, Deutsche Bank, Comdirect, some Sparda banks and others were affected. The attackers were able to steal personal data such as bank details and health insurance numbers. In total, more than 144,000 data records of bank customers appeared on the darknet. The attack was uncovered in July 2023. The exact amount of damage is not known.
Facts overview
- Affected customers:
e.g. Barmer, ING, Deutsche Bank, Comdirect, Postbank, Sparda-Banken, Versicherungskammer Bayern
- Attack path/technique:
Zero-day exploit - The attack can be traced back to the MOVEit hack
- In detail:
Attackers were able to penetrate the MOVEit Transfer database and inject SQL commands
- Consequences:
Access to and publication of sensitive personal data such as bank details, health insurance numbers, premium contributions (at the insurer); in total, hackers captured more than 144,000 data records
- Damage:
No figures known
4. Cyber attack on Infosys McCamish Systems
The US service provider for financial and insurance companies Infosys McCamish Systems (IMS) recorded a serious ransomware attack in November 2023. The data of over six million people was compromised, including names, addresses, dates of birth, social security numbers, medical records, credit card information and passwords. No details are available regarding the method of attack. Among the customers affected are the major US bank Bank of America Corporation (BofA) and the US pension insurance company Oceanview Life & Annuity. The estimated loss for IMS is at least USD 30 million. The attack is attributed to the LockBit ransomware group.
Facts overview
- Affected customers:
e.g. Bank of America Corporation (BofA), US pension insurance company
- Attack path/technique:
Ransomware
- In detail:
Nothing known
- Consequences:
Sensitive data of over 6 million people was compromised. This included names, social security numbers, financial information, medical information, biometric data and passport numbers
- Damage:
IMS estimates at least USD 30 million; no information from BofA or Oceanview Life & Annuity
5. Cyber attack on Kaseya
In July 2021, Kaseya, one of the world's leading providers of IT management software, fell victim to a ransomware attack. The attackers gained access to the remote maintenance software VSA via an unpatched zero-day vulnerability and created a malicious update that was automatically installed on the VSA servers in customers' networks. In addition to Kaseya, the affected companies included numerous IT service providers, resulting in a domino effect that affected up to 1500 organizations worldwide, including the Swedish supermarket chain Coop. The attackers initially demanded a ransom of USD 70 million, but later reduced the amount. The attack led to the encryption of data and systems and caused production downtime. Specific damage figures were not made public.
Facts overview
- Affected customers:
including Coop (supermarket chain); approx. 50 direct customers, including other service providers. A domino effect occurred, affecting up to 1500 organizations
- Attack path/technique:
Attack on Kaseya's VSA software, which organizations use to manage software updates in computer systems
- In detail:
As a result of the VSA update manipulation, ransomware was transferred to customer networks
- The consequences:
Encryption of data and systems of affected organizations; production downtime in some cases; access to and publication of personal data
- The damage:
No concrete figures
6. Cyber attack on Adesso
In early summer 2022, the IT service provider Adesso, whose customers include DAX companies such as Daimler, BMW, RWE and Eon as well as federal authorities such as the Federal Ministry of the Interior and for Home Affairs (BMI), the Federal Ministry of Digital and Transport (BMDV), the Federal Criminal Police Office (BKA), the financial supervisory authority Bafin and the Bundesbank, was hacked. The attackers had exploited a security vulnerability in Atlassian's Confluence software, manipulated plug-ins installed in systems and gained privileged access to systems and files in the internal network. The attack was first discovered by the Adesso security team in January 2023, but was only made public by a whistleblower. Concrete damage figures were not published.
Facts overview
- Affected customers:
including DAX companies, BMI, BMDV
- Attack path/technique:
Security vulnerability in the enterprise wiki system "Confluence" from the software manufacturer Atlassian
- In detail:
Nothing known
- Consequences:
Access to individual information and files, including large amounts of e-mail communication with personal data
- Damage:
No figures known
7. Cyber attack on Count + Care
A ransomware attack on the Hessian IT service provider Count + Care paralyzed several companies, including important KRITIS operators and municipalities, in June 2022. Attackers managed to penetrate the service provider's corporate network and encrypt data and systems. Count + Care is the IT subsidiary of the ENTEGA Group, one of Germany's leading energy and infrastructure service providers. In addition to the energy supplier, the Darmstadt-based transport company Heag, the Frankfurt Waste Disposal and Service Group (FES) and the Mainz municipal utilities were also affected. As a result of the attack, numerous personal data of ENTEGA employees and business partners ended up on the darknet.
Facts overview
- Affected customers:
including Entega, Frankfurter Entsorgungs- und Service-Gruppe (FES), Heag, Mainzer Stadtwerke
- Attack path/technique: Ransomware
- In detail:
Nothing known
- Consequences:
Encryption of data and systems of affected organizations; homepages no longer accessible; services restricted (e.g. travel cancellations in local public transport)
- Damage:
No figures known
Conclusion
Cyberattacks on the supply chain can develop into domino-like chain reactions. Companies must counter these threats with robust security measures to protect their systems and data. This requires a holistic security strategy that takes both technological and organizational aspects into account.
A first step is the careful selection of service providers: Check the security standards and certifications of your providers. Make sure that your service providers comply with IT and data protection requirements (including regulations such as NIS2, DORA and TSAX) and carry out regular security checks. LocateRisk's business partner risk management supports you with automated IT risk analyses and monitoring as well as digital questionnaires for supplier self-disclosure. This enables all parties involved to save time and costs, minimize risks and drive continuous improvement.
Read also Supplier risk management for complex supply chains - made easy
English 
Deutsch 
Français