Your Company’s Safety: Recent Supply Chain Attack Cases and Countermeasures

In recent years, cyber attack methods have become increasingly sophisticated, posing a significant threat to companies.

Among them, “supply chain attacks” are rapidly increasing.

In the “10 Major Information Security Threats 2024” announced by the Information-technology Promotion Agency, Japan (IPA) in February 2024, supply chain attacks were ranked second for the second consecutive year.

In this article, let’s understand the latest cases and countermeasures for supply chain attacks.

What is a Supply Chain Attack?

The Importance of the Supply Chain
Methods of Supply Chain Attacks

Cases and Threats of Supply Chain Attacks

Case 1: LINE Yahoo Information Leak
Case 2: Ransomware Damage at Osaka Acute and General Medical Center

Specific Measures to Protect Companies from Supply Chain Attacks

Improving Security Awareness and Education
Strengthening Password Management
Thorough Implementation of Anti-Virus Software
Optimizing File and Data Sharing Settings

Summary

1. What is a Supply Chain Attack?

A supply chain attack refers to a cyber attack that targets vulnerable points in the corporate group that makes up the supply chain, such as business partners and contractors, rather than attacking the company itself directly.

1-1. The Importance of the Supply Chain

In modern society, companies do not operate businesses independently. Various companies cooperate to form a “supply chain” from raw material procurement to manufacturing, sales, and after-sales service.

With globalization, data is constantly exchanged over the Internet with many companies related to business, such as business partners, subsidiaries, and contractors.

However, from the perspective of information security, even if a company’s own measures are perfect, it is necessary to be aware that if even one company on the supply chain has a vulnerable part, it may be subject to cyber attacks from there.

You should not think that because your company is a small or medium-sized enterprise, it will not suffer much damage even if it is attacked. It is possible that your company could be used as a stepping stone to damage a large company that is your business partner.

It is important to share the importance between companies involved in the supply chain.

1-2. Methods of Supply Chain Attacks

A supply chain attack involves gaining unauthorized access to one company that makes up the supply chain, and then expanding the attack to the target company using that as a stepping stone. Let’s explain in more detail.

Targeted Attacks Targeting Business Partners

Attackers decide on a target company and target a business partner company with weak security among the companies on the supply chain.

By sending malware to the business partner’s system or launching phishing attacks, it becomes possible to access the target company via the business partner.

Social Engineering

Social engineering is a method of exploiting important information by using fake emails or phone calls, or by peeping at PCs or smartphones.

The attack expands to the supply chain by illegally obtaining information by exploiting human errors or carelessness, or by illegally accessing the system.

Unauthorized Alteration of the Software Supply Chain

There are also methods such as embedding malicious code in legitimate software or update files, or hacking the developer’s system to tamper with the source code.

If a user installs the tampered software, there is a risk of being infected with malware or having confidential information stolen.

In this way, attackers target companies and organizations with relatively weak security measures, launch various attacks, and attempt to infiltrate the target company’s system from there.

2. Cases and Threats of Supply Chain Attacks

Supply chain attacks are attacks against multiple companies and can be a significant threat.

Let’s check with some examples.

2-1. Case 1: LINE Yahoo Information Leak

LINE Yahoo Corporation announced in November 2023 that user information, business partner information, and employee information had been leaked due to unauthorized access by a third party.

The unauthorized access was caused by malware infecting the system of a contractor of a related company, and can be said to be a type of supply chain attack.

As a result, approximately 300,000 pieces of personal information, including LINE user service usage history, were leaked.

In addition, it has been reported that business partner email addresses and employee names have also been leaked.

Reference: LINE Yahoo Corporation “Notice and Apology Regarding Information Leakage Due to Unauthorized Access”

2-2. Case 2: Ransomware Damage at Osaka Acute and General Medical Center

Osaka Acute and General Medical Center was hit by a ransomware cyber attack in October 2022.

The origin is said to be the vulnerability of the contractor providing meals to the medical center.

It seems that the security level of the company’s VPN equipment was old and the latest updates had not been applied, so they were invaded and suffered ransomware damage to the medical center from there.

The damage amount is said to be several hundred million yen just for investigating the cause and restoring the system, and including the damage from having to suspend medical treatment, the total amount is said to be more than ten billion yen.

It took two months to fully recover, and they were forced to initialize and clean install more than 2,000 servers and terminals.

In either case, the attack methods are not new, using methods such as targeting vulnerable parts of network devices and software, or installing malware.

However, it is certainly true that you cannot protect everything with your own company’s security measures alone.

Reference: Osaka Prefectural Hospital Organization Osaka Acute and General Medical Center “About the Information Security Incident Investigation Committee Report”

3. Specific Measures to Protect Companies from Supply Chain Attacks

Even though it is called a supply chain attack, it is not an attack using groundbreaking technology or new methods. The attack itself is the same as before. In order to protect yourself from threats, it is still important to thoroughly implement normal security measures.

3-1. Improving Security Awareness and Education

It is more important than anything else to raise the security awareness of each and every employee.

Conduct regular security training and thoroughly educate employees on how to identify targeted attack emails, how to safely use external recording media such as USB memories, and information leakage risks.

It is necessary to improve the security literacy of individuals, including management, employees, dispatched employees, and business partners.

3-2. Strengthening Password Management

Be sure to use long, complex, and strong passwords.

In addition to IDs and passwords, prevent unauthorized access by introducing multi-factor authentication that combines multiple authentication factors such as biometric authentication and dedicated hardware tokens.

3-3. Thorough Implementation of Anti-Virus Software

Always install the latest anti-virus software and set it to automatically update virus definition files.

Furthermore, you should also consider introducing endpoint security tools that can handle methods that attack software vulnerabilities.

3-4. Optimizing File and Data Sharing Settings

Cancel unnecessary sharing settings for data on internal systems and cloud storage.

By operating with the minimum necessary access rights, you should be able to localize the damage even if unauthorized access occurs.

File encryption and restrictions on the use of USB memory are also effective measures.

These are all basic security measures, but that is why it is important to thoroughly implement them on all PCs and employees within the company.

Summary

Supply chain attacks are not only direct attacks on target companies, but also attacks from their business partners and related companies, so there is a risk of suffering serious damage without realizing it.

The measures that individual companies can take are by no means difficult, but unless all companies thoroughly implement security measures, it will not be possible to prevent damage from supply chain attacks.

Minimize the risk of supply chain attacks by thoroughly educating employees and combining basic measures.

For EXO Security pricing, contact globalsupport@jiran.com.

For a free trial of EXO Security, contact globalsupport@jiran.com.