Supply-Chain Attacks in the Real World: Bridging the Cyber Divide

Any business in the B2B space is part of a supply chain, whether you feed into larger businesses or those larger businesses feed into you. If you find yourself as a smaller business feeding into larger ones, you are more susceptible to attacks than some in your organization may think.

In a previous edition of Bridging the Cyber Divide, we went examined supply chain attacks, how they can happen, why they’re so prevalent and looked at some high-profile instances of such attacks.

This time, we want to take an even deeper dive on a staggering January report by the Wall Street Journal about coordinated, targeted attacks aimed at taking down the US electric grid likely perpetrated by Russian threat actors.

These hackers didn’t go right for the source: they tried to sneak their way in through small companies—contractors, subcontractors, even companies that didn’t work directly with the utilities but had some association with the industry. WSJ reported that at least two dozen US-based utilities were breached.

This should provide a major wakeup call to people in your organization who might think it isn’t worth the expense to bring in cybersecurity solutions on top of your existing IT infrastructure. This is proof positive that anyone—no matter how big or small—can be a target in a bigger cyberattack.

Nobody is a “Nobody” in Supply Chain Attacks

The first anecdote of supply chain attacks included in the WSJ article involved an Oregon construction company with 15 employees. Customers received an email claiming to be from the company in March 2017 asking for them to sign an agreement, but it didn’t have an attachment. The owner of the company, Mike Vitello had “no idea” what they were talking about and told recipients to ignore it.

Things later took an alarming turn.

Then, a few months later, the U.S. Department of Homeland Security dispatched a team to examine the company’s computers. You’ve been attacked, a government agent told Mr. Vitello’s colleague, Dawn Cox. Maybe by Russians. They were trying to hack into the power grid.

“They were intercepting my every email,” Mr. Vitello says. “What the hell? I’m nobody.”

“It’s not you. It’s who you know,” says Ms. Cox.

The company worked with utilities and government agencies and was viewed by foreign threat actors as a way into the US electric grid. They hacked into Vitello’s email and sent customers a link to a little-used website hijacked by these actors that was likely used as a backdoor to gain access to the recipient’s systems.

Supply chain attackers used Vitello’s email again to send out fraudulent notes two weeks later. When one of the recipients responded by saying they thought Vitello had been hacked, they got a response back from Vitello’s account saying he had sent it. That individual then called Vitello to double check and Vitello confirmed he hadn’t sent anything.

There are a lot of lessons to glean from this anecdote. First, it’s not surprising the owner of a small construction company wouldn’t think they’d be targeted by cyberattacks. But nobody really is a “nobody.” And for non-technical folks in your organization, this should be Exhibit A for why they should change their thinking about the likelihood of being a cyberattack target.

When they say, “it can’t happen to us,” you can tell them that it did happen to a 15-person company not because of who they were but because of what they did and who they knew.

Also, the response from one of the recipients of the second suspicious email is a strong example of cybersecurity awareness training at work, which we discussed back in December in this series. If an email looks suspicious or not right, it is always a best practice to either delete it if you don’t know the sender or, if it looks like it comes from someone you do know and they’re asking for something of you, to get on the phone and confirm with them they actually sent it.

Supply Chain Attacks in All Forms and Sizes

The WSJ’s report exposed details about numerous victims of this supply chain attack/series of attacks, running the gamut of different kinds of companies and tactics.

A small media company that publishes trade publications for the energy industry is where it is suspected Russian actors infected a website and used it to spy on visitors they could attack.

At a small professional services company in Oregon, an employee reportedly fell for the aforementioned fake email exploit, supply chain attackers broke through their firewall and created a fake internal account with “broad administrative access” and from there went after the energy firms.

One small, 20-person carpentry company in Michigan was infiltrated by the attackers. WSJ said at least three utility companies received bogus resumes from email addresses associated with the Michigan company. The resumes were “tweaked to trick recipients’ computers into sending login information to hacked servers,” WSJ reported.

Supply chain attackers went after another excavation company that after it was hacked blasted out an email with a fake Dropbox link to 2,300 contacts—including several large utilities.

Many of these are your classic email-borne attacks and require sophisticated technological safeguards to stop the impacts of malicious URLs, attachments and websites. Without them you could be the next anecdote in the next big story about cyberattacks. You need a plan for how you’re going to protect yourself and getting everyone on board is key.

Remember: nobody is a “nobody” when it comes to the supply chain. It’s all connected, it’s all important and you don’t want to be the one that breaks the chain because your cybersecurity isn’t up to par. Don’t treat yourself like a “nobody”: take a proactive, in-depth approach to cybersecurity so you’ll have the cyber resilience to stand up to the most serious of attack types.