‘Island hopping’ cyber threat puts supply chains at risk

17 April 2019

Supply chain firms are being targeted in a new trend known as “island hopping” where cyber criminals access the networks of other organisations in their victim’s supply chain, a report has warned.

Cloud computing security specialist Carbon Black analysed 500 incident responses to cyber attacks, carried out by 40 partners using its software, in its quarterly Global Incident Response Threat Report released this month.

It found that half of today’s cyber attacks on companies involve the new “island hopping” trend. This typically takes the form of an attack on an organisation’s managed security services provider, before spreading that organisation’s connections.

Thomas Brittain, leader of Carbon Black’s global incident response partner program, said: “More often than not, the adversary is going after the weakest link in the supply chain to get to their actual target.”

He added: “Businesses need to be mindful of companies they’re working closely with and ensure that those companies are doing due diligence around cybersecurity as well.”

Some 47% of Carbon Black’s respondents said they had found evidence of the new type of attack in the financial sector, while 42% had seen it in manufacturing firms and 32% in retail companies.

One in seven (16%) had found this type of attack in professional services firms, which was particularly worrying because it could give access to confidential client work, the report said.

“Amid worldwide trade negotiations, evolving economic sanctions and an ever-globalizing marketplace, nation state actors are seeking any competitive advantage they can get,” it stated.

Ryan Cason, director of partner solutions at Carbon Black, said: “Going after manufacturing companies for IP purposes reduces R&D costs for designing everything from to cell phones, to high-grade weapons.”

He added: “It allows them to get to market quicker, at a cheaper price point, to the detriment of their victim.”

More than a fifth (22%) of respondents said intellectual property theft was an attacker’s end goal this quarter, compared to one in 20 (5%) the previous quarter.

More than half (56%) of respondents had encountered reactions to their responses to the attacks in the past quarter, with 87% citing the destruction of logs by hackers, while 70% witnessed other evasion tactics.

Companies need to be alert to the evolving tactics of cyber criminals, and ensure they identify and tackle areas of vulnerability before a full-on breach, according to the report.

The dangers of hacking were highlighted last month, when Kaspersky Lab revealed that computer maker ASUS had fallen victim to hackers who had managed to compromise one of the company's servers used to provide software updates to ASUS machines. This gave the hackers backdoor access to about half a million Windows machines, although the attackers appear to have only been targeting about 600 systems.

This position can be based at our headquarters in Dover or any one of our overseas offices.
Between £50,000 - £60,000 depending on experience
Megger Group
East London
East London Waste Authority
CIPS Knowledge
Find out more with CIPS Knowledge:
  • best practice insights
  • guidance
  • tools and templates