Hackers targeting software supply chains

30 July 2018

Hackers are increasingly attacking the technology supply chain to carry out foreign espionage, a US intelligence report has warned.

Foreign states are increasingly targeting software supply chains to steal US technology, intellectual property, trade secrets, and proprietary information, it said. 

It pointed the finger firmly at China, Russia and Iran, calling them “aggressive and capable collectors of sensitive US economic information and technologies”.

Last year there were more major attacks on supply chain software than ever before, with seven “significant events” reported in the public domain worldwide, compared to four during 2014-16. 

These included an attack originating from Ukrainian accounting software M.E. Doc, which the report called “a destructive payload disguised as ransomware”. It was attributed to Russia. 

This “paralysed networks worldwide”, affecting banks, companies and infrastructure, and cost logistics firms FedEx and Maersk $300m each.

“As the number of events grows, so too are the potential impacts,” it said. “Hackers are clearly targeting software supply chains to achieve a range of potential effects to include cyber espionage, organisational disruption, or demonstrable financial impact.”

The report, by the US National Counterintelligence and Security Center (NCSC), warned that China, Russia and Iran would “almost certainly continue to deploy significant resources and a wide array of tactics to acquire intellectual property and proprietary information”.

“Our goal in releasing this document is simple: to provide US industry and the public with the latest unclassified information on foreign efforts to steal US trade secrets through cyberspace,” said William Evanina, director of the NCSC. 

“Building an effective response to this tremendous challenge demands understanding economic espionage as a worldwide, multi-vector threat to the integrity of both the US economy and global trade,” he added.

The report follows news that two in three companies worldwide have experienced cyber attacks on their supply chain software, according to a survey.

 Want to stay up to date with the news? Sign up to our daily bulletin.

CIPS Knowledge
Find out more with CIPS Knowledge:
  • best practice insights
  • guidance
  • tools and templates