Supply chain attacks are not new. In fact, as far back as you go in history, attacking supply chains is a tried and tested strategy for weakening an enemy. Stop supplies getting to the troops at the front line, and you have a significant advantage.
The same is becoming true in the digital world.
Supply chain attacks are growing in number and sophistication, and it is now clear that they are being coordinated at a state level and by cunning military minds.
The past year has seen several supply chain attacks that have taken the threat to a new level. SolarWinds was the most ‘successful’ attack and would attract the interest of any military historian.
It was the classic trojan horse strategy.
The first infiltration happened before October 2019, and it was, according to Security Week, a reconnaissance mission. It wasn’t until March 2020 that the (allegedly Russian) group inserted the malicious code that subsequently went out to the 18,000 companies who use SolarWinds. Thankfully, the final analysis showed that a tiny minority of those companies were affected, either through luck or the disruption involved in upgrading software every time a new patch arrived meant they had not let it loose.
Also, according to Security Week, the North Koreans and their Lazarus team have decided that supply chain attacks are a fruitful vein of disruption and extortion. South Korea has been a target, and its IT supply chain sector is on full alert.
SolarWinds is not the only supplier to be hit by supply chain attacks, according to Microsoft. The latter has publicly said that Russia is responsible for over 50% of recent attacks.
As a Microsoft spokesman says, “This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government.”
This increased level of threat is made worse by changing consumer trends. The modern consumer chooses a brand based on how ethical the brand – and its supply chain – is. These brands are used to producing bamboo socks but not used to fighting what is undoubtedly a state-level military war.
Whether the supply chain attacks escalate into a full-scale digital war between nation-states remains to be seen. What we seem to be moving towards, and rapidly, is a digital Cold War, where Russia, China and, to a lesser extent North Korea, prove that they can bring a nation to its knees, while the US and its allies prove that they can do the same.
Let us hope that neither side actually proves it.