Prevalence of supply chain attacks

But famous does not mean rare. Supply chain attacks are rampant. Earlier this year, endpoint security firm Carbon Black issued a report on so-called island hopping—the term for what attackers do when they try to expand on a breach of a victim’s network.

According to the report, “attackers these days want to ‘own’ your entire system … Exactly half (50%) of today’s attacks leverage island hopping.”

Or as Tom Kellermann, Carbon Black’s chief cybersecurity officer, put it in the report. “They’re not just, say, invading your house—they’re setting up shop there, so they can invade your neighbors’ houses too.”

Ponemon’s 2018 Data Risk in the Third-Party Ecosystem found that 59% of more than 1,000 respondent companies in the U.S. and U.K. said they had been victims of a data breach caused by a third party or vendor during the previous year. Another 22% said they didn’t know if they had been or not.

The headlines are littered with other examples. Russian hackers were able to spread the infamous NotPetya malware in 2017 in part by compromising the update mechanism for a Ukrainian accounting application.

That technique has continued into this year. Motherboard reported in March that Kaspersky Lab researchers found that attackers had compromised the Live Update function of Taiwan-based ASUS, one of the world’s largest computer makers, to spread a malicious backdoor to about 500,000 computers. The researchers labeled it ShadowHammer, and it worked because “the malicious file was signed with legitimate ASUS digital certificates to make it appear to be an authentic software update.”

There are plenty more examples, but you get the idea.