Cybersecurity in the Supply Chain: Trust Is Good, Control Is Mandatory

Hardware attacks on processors, power supplies, or network adapters are just as possible as manipulations of software components. Software providers, for example, often rely on third-party components to deliver product updates, as this is more efficient than in-house development. While they maintain control over their own product and develop it using proven methods, the update component remains under the external provider’s control—leaving it vulnerable to potential abuse.

The Weak Link: How Attacks on Third Parties Can Paralyze Everything

One of the most infamous supply chain attacks occurred in 2020 when SolarWinds was breached, and updates for its Orion software were manipulated. These corrupted updates were then unknowingly distributed to thousands of customers—including government agencies and major corporations. Those who dutifully installed the updates inadvertently introduced a backdoor into their own networks.

In 2024, the Russian ransomware group Qilin disrupted large parts of the UK’s healthcare system by attacking Synnovis, a service provider for the National Health Service (NHS). After Synnovis refused to pay a £40 million ransom, over 6,000 procedures and appointments had to be postponed—despite the fact that the NHS’s own IT systems were not directly affected.

Email communication is particularly vulnerable to exploitation, serving as a preferred loophole for cybercriminals. They use targeted phishing attacks to compromise the email accounts of service providers or partners, such as Managed Service Providers (MSPs), and then infiltrate target organizations to deliver malicious links or file attachments. This allows attackers to gain access to entire IT systems through compromised third parties and further spread manipulated software updates or cloud services.

The Four-Phase Model of Supply Chain Attacks

Supply chain attacks typically unfold in four consecutive phases, with the goal of comprehensively compromising a network:

1. Initial Compromise: Hackers target a supplier within the supply chain, exploiting vulnerabilities in their systems or using social engineering tactics.

2. Malicious Insertion: Once access is gained, attackers inject malicious code into products, software updates, or services that the supplier regularly distributes to customers.

3. Propagation: The tampered component spreads through standard update processes or deliveries—often undetected, disguised as legitimate activity.

4. Activation: Once the infected component reaches target systems, the malware is triggered, enabling data exfiltration, system takeover, or the creation of additional access points for attackers.

This approach highlights why supply chain attacks are especially dangerous: they exploit deep-seated trust relationships and established processes—often perceived as secure—for criminal purposes. Since attackers operate under the guise of legitimate supply chain and update procedures, their activities frequently go unnoticed until significant damage has already been done. But timely detection and defense are possible!

Third Parties in the Crosshairs

To protect against supply chain attacks, companies must scrutinize both their own systems and the security of their suppliers. A first step for any organization is implementing basic cyber hygiene, including:

• Phishing-resistant multi-factor authentication (MFA)

• Regular updates and patches

• Comprehensive Extended Detection and Response (XDR) systems

• A Zero Trust policy

Software development companies should additionally ensure that all development tools—from integrated development environments (IDEs) to version control systems—are protected against unauthorized access and regularly updated. Secure coding practices, Software Composition Analysis (SCA), and continuous security testing are also critical to identifying and mitigating risks from insecure third-party components and potential attack vectors early.

Digital Signature Verification and Early Detection

Beyond these fundamentals, companies should adopt advanced strategies, including:

• Digital signature verification to detect tampered software components early.

• Early risk detection through expert networks, cybersecurity labs, and threat reports to stay aware of emerging risks.

• Security awareness training with realistic attack simulations and targeted employee education.

Once internal security architecture is robust, companies must also assess their supply chain partners:

• How secure are their systems?

• Do they have clear incident reporting processes?

• Are their products regularly tested internally or externally?

• Do they have a bug bounty program?

Businesses should also require suppliers to adhere to security standards and verify whether theirsuppliers—the "supply chain of the supply chain"—are adequately protected.

Early Detection, Half the Battle: Defending Against Supply Chain Attacks

Supply chain attacks are hard to detect, especially since many components lie outside a company's direct control. This makes monitoring and anomaly detection crucial: A Security Information and Event Management (SIEM) system collects and analyzes log data for suspicious patterns. But by the time an attack is detected, it’s often too late! Preventing incidents altogether is far better than damage control.

A holistic protection strategy offers decisive advantages against supply chain attacks by covering multiple security layers and effectively minimizing vulnerabilities. Such an approach should include:

• Securing email communication—the most common entry point.

• Regular, comprehensive backups in Hyper-V, VMware, or Microsoft 365 environments to prevent data loss in case of an attack.

• Employee training to recognize threats like phishing and social engineering.

Combining technical safeguards, data backups, and targeted awareness creates a robust defense against modern cyber threats.

Dr. Yvonne Bernard

As CTO of Hornetsecurity since 2021, she oversees the strategic and technological direction of the product portfolio.