Third-party risk management (TPRM) is a critical aspect of cybersecurity due to the increasing interdependencies and complexities in today’s global, interconnected networks and systems. TPRM’s importance is most acutely evident when considering the risks associated with supply chain attacks on companies, which continue to grow in number and damage.
The most glaring recent example of the complexity of supply chain risks and the importance of TPRM came in the form of a double supply chain attack in 2023. This article takes a look at what a double supply chain attack is and offers some pointers to strengthen TPRM for your company.
A double supply chain attack is essentially where one supply chain compromise leads to another supply chain compromise. This cascading effect makes detecting the breach’s origin even trickier, and it can leverage the intricate supply chain networks to explode in reach and impact. The ability to stack a supply chain attack into multiple layers demonstrates the creativity and innovation of today’s most advanced threat groups.
A brief reminder that a supply chain attack happens when someone infiltrates your system or network through an outside partner or provider with access to your systems and data. The most commonly seen form of this cyberattack is a software supply chain attack that simultaneously distributes malware to many organizations by compromising a third-party application vendor’s code or other software components. All companies that rely on the compromised third-party code can potentially become impacted when downloading an update, for example.
Supply chain attacks tend to be high-risk cybersecurity incidents for three reasons:
A double supply chain ticks all three boxes, even more comprehensively than a normal supply chain attack. Chaining intrusions arguably broadens the reach of attacks. The multiple layers of the attack make it harder to detect. The potential impact may be amplified by not being able to uncover the source of the problem.
While nobody ever said a double supply chain attack wasn’t possible, it remained in the realm of the imagination until a highly publicized breach of VoIP provider 3CX. According to 3CX’s website, over 600,000 customers use 3CX’s software to help their businesses connect and collaborate. In those numbers is the seed for a damaging supply chain attack.
But what made the March 2023 attack so interesting was not merely the widespread use of 3CX at companies in various sectors. The uniqueness came in the form of a double software supply chain attack carried out by a North Korean nation-state threat group.
The incident hit many companies that rely on 3CX’s software, including several critical infrastructure operators. It all started when hackers obtained a backdoor into a completely separate software application named X_TRADER. This financial software package, developed by Trading Technologies, became compromised, and a 3CX employee installed the malicious version of the third-party software on their system.
It remains unclear why a 3CX employee installed a trading app on their device; perhaps it was a classic case of shadow IT use or merely personal interest in trading. The 3CX employee in question had their credentials stolen in this first part of the double supply chain attack.
But the most damaging part came when hackers figured out a way to hit the many companies that rely on 3CX’s software by chaining this intrusion to compromise 3CX’s development environment. Having obtained credential-based access to the 3CX network, the advanced hackers moved laterally and eventually managed to compromise the Windows and macOS build environments for 3CX software. They then pushed out a malicious version of the 3CX desktop app to any companies and users that installed it.
The 3CX attack highlights the need for businesses to refine and strengthen their approaches to managing third-party risks. It might seem like this incident was a one-off fluke, but that’s a risky attitude to take. Here are some pointers for improving TPRM: