The Cybersecurity in Supply Chains series with Seongkyoon Jeong explores cybersecurity issues and strategies relevant to supply chain managers. An assistant professor at the Haslam College of Business, Jeong is a digital supply chain researcher with rich experience in detecting vulnerabilities in software systems and the economic impact of cyberattacks. Read his first post about why cybersecurity is a major supply chain risk domain.
In my last post, I examined the growing importance of supply chain cybersecurity, identifying key reasons behind its emergence as a critical industry issue and outlining measures taken by industry leaders and governments to mitigate risks. Today, I will dive deeper by introducing three common types of cyberattacks affecting supply chains. I will provide case examples, explore why these attacks occur, discuss their ramifications, and offer some preventive measures organizations can take.
Type 1: The “Fake” Supply Chain
A common and enduring tactic used by cybercriminals is the social engineering attack. In this type of cyberattack, hackers impersonate legitimate stakeholders, such as supply chain partners, CEOs, or even government officials, to manipulate unsuspecting victims into actions that compromise security. They often seek for their victims to disclose sensitive information or transfer funds.
This method remains effective in supply chain contexts because of the heavy reliance on digital communication, primarily email, as a standard for operational coordination. Hackers employ two main strategies: the “shotgun approach” and the more targeted “sniper approach.”
In the shotgun approach, attackers cast a wide net by sending generic phishing emails to a broad range of potential victims, hoping that at least a few will take the bait. For example, during the COVID-19 pandemic, cybercriminals impersonated well-known logistics companies like FedEx, DHL, and UPS, sending out fake notifications about delivery issues to lure unsuspecting victims. Similarly, hackers may pose as suppliers of in-demand items. This occurred during the pandemic as the demand for masks increased exponentially worldwide. By leveraging the sudden demand for personal protective equipment, hackers managed to infiltrate various supply chains, including medical facilities and retail outlets.
Hackers using the sniper approach gather specific details about their targets from publicly available sources, such as social media profiles or business websites. By creating highly tailored phishing messages, attackers increase the likelihood of tricking their victims. For instance, a well-publicized case involved fraudsters impersonating a contracted supplier to siphon off $742,000 from the city of Ocala, Florida. In another instance, hackers compromised intermediaries, such as email service providers, to hijack communications between legitimate parties.
While these approaches may seem outdated, they remain highly effective in today’s digitally connected world. To defend against these attacks, companies are advised to employ multi-step validation processes before making crucial decisions, such as payments. Additionally, implementing a “zero-trust” policy, even with certified suppliers, helps ensure that all communications are verified before taking action.
Type 2: Cyberattacks Targeting Supplier-Managed Resources
Another prevalent form of supply chain cyberattack targets the resources managed by third-party suppliers rather than directly attacking the company itself. These resources can include sensitive data, IT infrastructure, and digital access points, making suppliers an appealing target for cybercriminals. In such attacks, the ripple effect often leads to compromised operations and reputational damage for the supplier’s customers.
Data breaches are particularly common. Suppliers frequently handle sensitive data, such as personal identification details or proprietary business information, on behalf of their clients. When such data is compromised, the supplier’s clients—along with their customers—can suffer significant consequences. A prime example occurred with Marriott International, where a breach exposed Social Security numbers and other sensitive data through its vendor.
In addition to data, IT infrastructure provided by suppliers is a frequent target, especially as companies increase their reliance on cloud computing and other digital systems. However, many organizations fail to understand the intricacies of securing these infrastructures, leaving themselves vulnerable to misconfigurations. Numerous cloud-based cyberattacks have stemmed from improper security setups by user companies, leaving data exposed to attackers. For example, some businesses have faced breaches due to simple oversights in cloud configurations.
Furthermore, disruptions to a supplier’s operations due to a cyberattack can bring a company’s entire supply chain to a grinding halt. Consider the case of domain name system (DNS) attacks, where hackers take control of a supplier’s DNS server, crippling all online operations that rely on the service. Companies often attempt to mitigate these risks by building secondary channels, yet many fail to integrate these backup systems fully. The CrowdStrike case revealed that many organizations’ emergency supply chain planning remains poorly designed, particularly in IT systems.
To protect against these types of attacks, companies must go beyond basic due diligence and actively incorporate cybersecurity assessments into their supplier selection process. Similarly to how sustainability is becoming a critical factor in supplier evaluations, cybersecurity should be a top priority. Companies should evaluate their suppliers’ responsiveness to cyber threats, ensuring they remain proactive in addressing vulnerabilities, especially as both attackers and defenders continue evolving in a dynamic, competitive relationship.
Type 3: Cyberattacks Through Supplier Access to Customer Systems
The third and most sophisticated type of supply chain cyberattack involves hackers leveraging a supplier’s access to a company’s systems. In these cases, attackers infiltrate a supplier’s system and use it as a conduit to compromise the company’s security measures. This can involve compromised software, hardware, or both. By bypassing conventional security protocols, these attacks are particularly damaging since the breach often occurs from within the company’s trusted infrastructure.
A well-known example is the Magecart attack, which targeted online retailers to steal customers’ credit card information. Since many companies use third-party applications to manage their e-commerce systems, they are vulnerable to security weaknesses in these external apps. Once malicious code is injected, hackers can steal sensitive customer data unnoticed.
The SolarWinds breach is another notorious case of this attack type. Hackers compromised SolarWinds, a trusted IT management company, and used its software updates as a delivery mechanism to infiltrate numerous high-profile organizations, including U.S. government agencies.
Hardware-based attacks are equally concerning. A prime example is the 2013 Target data breach, where hackers infiltrated the company’s point-of-sale (POS) systems using malware initially delivered through a compromised supplier. In this case, the breach occurred through Fazio Mechanical, a small Pennsylvania-based HVAC company that worked with Target. The hackers gained access to Target’s network by stealing VPN credentials from Fazio’s technicians, demonstrating the far-reaching consequences of supplier vulnerability.
The critical lesson is that companies often treat their software and hardware systems as “black boxes”—systems that function without full visibility into their inner workings. This lack of transparency makes it difficult for companies to assess both initial and ongoing security risks. Just as supply chain professionals focus on “continuous improvement” in quality management, cybersecurity must be treated as an ongoing process requiring continuous monitoring, updates, and vulnerability assessments.
This post reviewed several common types of supply chain cyberattacks. While each has its own distinctive characteristics, they are unified by a shared property: cybersecurity as supply chain risk. Cybercriminals exploit the relationships between companies and suppliers to infiltrate critical systems, often causing significant operational and financial damage. Businesses must assess the specific risks they face and the role their suppliers play in these scenarios. By adopting a proactive approach to cybersecurity, integrating it into supplier evaluations, and treating it as a continual improvement process, organizations can better protect themselves against the evolving threat landscape of supply chain cyberattacks.