Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

CISA, NIST Provide New Resource on Software Supply Chain Attacks

In a joint document published this week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) provide information on software supply chain attacks, the associated risks, and how organizations can mitigate them.

In a joint document published this week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) provide information on software supply chain attacks, the associated risks, and how organizations can mitigate them.

The software supply chain is part of the information and communications technology (ICT) supply chain framework, which represents “the network of retailers, distributors, and suppliers that participate in the sale, delivery, and production of hardware, software, and managed services,” CISA and NIST explain.

Aside from the SolarWinds incident, other notorious supply chain attacks over the past several years include the CCleaner malware campaign, the MeDoc (Ukrainian accounting software) compromise leading to NotPetya, Operation ShadowHammer, the infection of IoT devices running Windows 7, and the abuse of Kaspersky Lab software to steal NSA files.

A software supply chain attack occurs when threat actors manage to compromise a vendor’s environment and poison their software before it reaches customers, with the purpose of infiltrating the customers’ systems.

Once a vendor has been hacked, customers are compromised either through the acquisition of new, already infected software, or through the installation of malicious updates or hotfixes.

“These types of attacks affect all users of the compromised software and can have widespread consequences for government, critical infrastructure, and private sector software customers,” CISA and NIST note in a document titled Defending Against Software Supply Chain Attacks.

Common techniques that attackers use when launching software supply chain attacks include update hijacking, tampering with code signing, and the compromise of open-source code. Thus, the adversary may compromise a vendor’s update mechanism, hack signing systems or employ self-signing certificates, or add their own code to publicly accessible code libraries.

“Software supply chain attacks typically require strong technical aptitude and long-term commitment, so they are often difficult to execute. […] In general, advanced persistent threat (APT) actors are more likely to have both the intent and capability to conduct the types of highly technical and prolonged software supply chain attack campaigns that may harm national security,” CISA and NIST say.

Software supply chain compromise allows attackers to bypass in-place defenses for initial access, while also enabling them to gain persistent access to the targeted environment to perform financial theft, data exfiltration, cyber-espionage, to disable defenses, and even cause physical harm.

To mitigate the risks associated with supply chain attacks, network defenders should apply industry best practices before the attack occurs, CISA and NIST say. They also recommend that organizations use third-party software “in the context of a risk management program” that should include a formal, organization-wide C-SCRM approach.

The agencies also provide a series of recommendations on how organizations can prevent the acquisition of malicious or vulnerable software, on how to mitigate already deployed malicious or vulnerable applications, and on how organizations can increase resilience.

Defending Against Software Supply Chain Attacks also includes recommendations for software vendors, such as to implement and follow a software development life cycle (SDLC) and integrate a secure software development framework (SSDF) to ensure they won’t supply malicious or vulnerable software.

Related: Codecov Bash Uploader Dev Tool Compromised in Supply Chain Hack

Related: After Hack, Officials Draw Attention to Supply Chain Threats

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...