The Chinese hacking group nicknamed “Red Apollo” last year launched one of the largest ever sustained global cyber espionage campaigns. Rather than attacking companies directly, it targeted cloud service providers, attempting to use their networks to spread spying tools to a wide number of companies.
It was the latest warning sign of the risks posed by so-called supply chain attacks, according to PwC, the professional services company, which tracked the campaign.
Known as Operation Cloud Hopper, the attack targeted a small number of managed IT service providers, giving it the potential to spread malware to all the clients using these outsourcing companies to run their computer networks. Companies in 15 countries, including the UK, France, Switzerland, US, Canada, Australia and Japan were targeted.
This indirect approach demonstrates a new level of maturity in cyber espionage, and is increasingly common. Symantec, the cyber security company, says in a recent report it saw a 200 per cent increase in supply chain attacks in 2017 compared with the previous year. National governments are increasingly concerned about the trend.
However, hacking headlines recently have been dominated by geopolitical concerns, such as growing fears among western powers at Russia’s increasingly aggressive behaviour in cyber space. One of the behind-the-scenes ways of combating these threats is increasing supply chain security; UK security officials have made this one of their priorities for the rest of 2018.
Increase in supply chain attacks in 2017 recorded by Symantec
“If we look at the last year or two of cyber attacks there have been a lot of dramatic attacks,” says Ciaran Martin, chief executive of the UK’s National Cyber Security Centre (NCSC), part of GCHQ. “But one of the slow burning, strategic issues is the integrity of the supply chain and how corporations and government departments manage that risk.
“I think collectively we have been slower than we should have been to realise the importance of that.”
Cyber security experts say that while Cloud Hopper did not cause serious damage to those compromised, June 2017’s NotPetya attack, which the UK and the US have attributed to the Russian military, was an example of a supply chain attack that did have costly and damaging implications.
Although aimed primarily at companies in Ukraine, which has been in conflict with Russia-backed separatists since 2015, the ransomware attack spread far beyond its original target and is estimated to have cost businesses around the world, including the shipping group Maersk and UK-based consumer goods company Reckitt Benckiser, more than $1.2bn in total.
Richard Horne, a cyber security partner at PwC, explains how Russian hackers breached a software provider in Ukraine called MeDoc and inserted a “back door” into its next software update. “Once that was inserted then the attackers could download their malicious code — a brilliant piece of code — which then spread within about 60 minutes,” adds Mr Horne.
Ever since the poisoning of the former Russian double agent Sergei Skripal and his daughter in Salisbury in the south of England in March, the UK has stepped up its cyber security measures around potential Kremlin-backed cyber hostility.
The primary worry for cyber security officials is that state-backed hackers and criminals could penetrate the systems of critical infrastructure organisations such as banks, energy companies and government departments.
“From the point of view of the attacker — whether it’s defence, energy or basic commerce — if you can get in through the supply chain, it’s just as good as being in the main networks,” says Mr Martin of the NCSC.
Customers of US retailer Target had their details compromised
This year the NCSC published guidance on how to protect against the four most prevalent supply chain attacks. The guidance highlights third party software providers, website builders and external data stores as the most risky links in any company’s IT supply chain.
In 2013 the US retailer Target was attacked by a criminal group that entered its IT systems using access granted to a refrigeration and air conditioning supplier. The attack led to the details of more than 70m Target customers being compromised, including the accounts of more than 40m credit card holders.
Dave Palmer, director of technology at Darktrace, a cyber security firm, says that while high-profile incidents such as the Target hack alerted businesses to the risk in the supply chain, he still witnesses instances where external companies sign up to stringent security standards but then fall “woefully short”.
If you get in through the supply chain, it’s as good as being in the main networks
“They are busy, they have lots of customers and they don’t share your values,” says Mr Palmer. “The supply chain has in many ways the most exposure as these companies can rely on cheap and nasty security which would not stop any sophisticated attack,” adds Greg Sim, chief executive of Glasswall Solutions, a UK-based cyber security firm.
The NCSC says the onus is now on company boards to take greater responsibility for their suppliers’ standards. New EU General Data Protection Regulation rules, which came into force in May, also require companies to assess suppliers’ security risks.
“We have said for a long time it’s been too shrouded in mystique and lack of understanding and that boards should understand it like any other risk,” says Mr Martin. “But if you are sitting on the board of a company with a complex supply chain, do you know to ask what are we doing to ensure the cyber security of our main suppliers?
“Are they standards they have made up themselves? Is there a common framework? We are not yet doing as much as we should be doing.”