New Cyber Supply Chain Threat Detected

10 May 2019

A new supply chain attack has emerged in recent months, which has brought this growing and hard to detect cyber threat to the forefront.

In March, Kaspersky Lab revealed that hackers had compromised the systems of a major Taiwanese computer manufacturer and pushed out a malicious update signed with a legitimate digital certificate to customers. According to the cyber security firm, the attack affected at least 57,000 computers, but the total could be as high as one million users worldwide.

Dubbed, ShadowHammer, the newly discovered supply chain attack is since thought to have affected other companies. Kaspersky Lab found evidence that ShadowHammer has targeted six other organisations, including a number of Asia-based gaming companies, IT service providers and a pharmaceutical company. Hackers compromised the systems of these companies in order to target their customers through altered source code or injected malware.

Growing vulnerability

Supply chain attacks are a hot topic, following the compromise of managed service providers (MSPs) and several software products in recent years. According to cyber security firm Symantec, supply chain attacks have increased 78% over the past year.

Supply chain cyber attacks use legitimate software, IT services or third party app developers to deliver malware or malicious software code to target companies, which in turn can be used by hackers to steal data or gain control of IT systems. Such attacks can be hard to detect and enable hackers to breach multiple companies at once.

Hacking group Magecart, for example, is thought to be targeting third-party services to get its code onto targeted websites. The group was behind a number of large data breaches in 2018, including some high profile credit card skimming attacks against the consumer facing websites of an airline and online ticket vendor. 

In the latter, Magecart compromised a third-party chatbot, inserting malicious code into the web browsers of consumers visiting the website in a bid to steal their payment data.

In 2017, hackers targeted a small software company and inserted malicious code into a legitimate PC clean up tool. The incident reportedly affected over two million downloads, by both individuals and businesses, and resulted in further attacks against large technology and telecommunications companies in the UK, Taiwan, Japan, Germany and the US.

NotPetya, the global malware attack that caused worldwide disruption in June 2017, was also an example of a supply chain attack. Attackers managed to introduce malware into MeDoc, a legitimate software application widely used by businesses in Ukraine for handling tax returns. 

The compromised MeDoc update infected users of the application, while the malware spread itself within networks.

Cyber espionage group Dragonfly (also known as Energetic Bear) is thought to have targeted energy companies through their industrial control systems (ICS) software supply chains. 

This included hacking ICS software suppliers to replace legitimate files in their repositories with malware infected versions. In essence, the malware “trojanised” legitimate ICS software. When the ICS software was downloaded from suppliers’ websites, it installed malware alongside legitimate ICS software, enabling hackers to gain remote access to the target company systems.

Sign up to our latest  news & insights Sign up to our latest  news & insights

Supply Chain Cover

It is important for an organisation to consider the impact of a cyber attack on its technology and IT supply chain, including having an understanding of third party suppliers and their cyber security, as well as concentrations of risk and interdependencies.

Companies are often reliant on a small number of major software, hardware and service providers, meaning one attack could potentially affect a large number of companies within their supply chain. 

For example, a major US software provider, which provides services to 400,000 organisations worldwide and 98% of the Fortune 500, revealed in March that it was investigating a cyber attack after the FBI had warned the company that it may have been targeted by hackers.

Insurance cover for cyber attacks within the technology and IT supply chain is widely available. Companies are advised to discuss this issue with their broker and check appropriate cover is included in their cyber insurance policy.

New Laws to Strengthen Data Protection Have Had a Positive Impact on Cyber Security

More than half of British firms "report cyber attacks in 2019", according to Hiscox. The insurer found that 55% of companies had faced an attack in 2019, up from 40% last year. But almost three quarters of firms were ranked as "novices" in terms of cyber readiness. Hiscox said a lot of businesses "incorrectly felt that they weren't at risk".

The firm surveyed more than 5,400 small, medium and large businesses across seven countries, including the UK, Germany, the US, Belgium, France, the Netherlands and Spain. It reported a "sharp increase" in the number of cyber attacks this year, with more than 60% of firms having reported one or more attacks - up from 45% in 2018. Average losses from breaches also soared from US$229,000 (£176,000) to US$369,000, an increase of 61%.

A report from Beazley revealed a 133% increase in business email compromise incidents from 2017 to 2018. Beazley also found that the average ransomware demand in 2018 was more than US$116,000, but this was skewed by some very large demands. The median was US$10,310. 

The highest demand received by a Beazley client was for US$8.5 million – the equivalent of 3,000 Bitcoin at the time. Small-to-medium size businesses, which tend to spend less on information security, were at a higher risk of being hit by ransomware than larger firms.



  • Sarah StephensSarah Stephens

    As part of Marsh JLT Specialty's London-based Financial Lines Group, Sarah and her team work both directly with our clients and with network colleagues and independent partners to make sense of cyber, technology, and media E&O (PI) risks and create leading edge bespoke insurance solutions in the London market.

    Prior, Sarah spent 12 years with Aon in a variety of roles. Her last role at Aon was Head of Cyber & Commercial E&O for the Europe, Middle East, and Africa (EMEA) Region, working with colleagues across business groups and clients in the region to identify, analyse, and drive awareness of cyber risks, exposures, and both insurance and non-insurance solutions.

    Previously, Sarah spent seven years with Aon’s US Cyber and Errors & Omissions practice group thinking nonstop about cyber insurance way before it was cool. Her first four years at Aon were spent in the Account Management group working with large clients and developing a keen eye for excellent client service.

    For further information or to learn more about cyber insurance, contact Sarah Stephens, Head of Cyber, on +44 (0)20 3394 0486.

  • For more articles like this, download our Cyber Decoder

    Share this article