Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

CISA, NIST Provide New Resource on Software Supply Chain Attacks

In a joint document published this week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) provide information on software supply chain attacks, the associated risks, and how organizations can mitigate them.

In a joint document published this week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) provide information on software supply chain attacks, the associated risks, and how organizations can mitigate them.

The software supply chain is part of the information and communications technology (ICT) supply chain framework, which represents “the network of retailers, distributors, and suppliers that participate in the sale, delivery, and production of hardware, software, and managed services,” CISA and NIST explain.

Aside from the SolarWinds incident, other notorious supply chain attacks over the past several years include the CCleaner malware campaign, the MeDoc (Ukrainian accounting software) compromise leading to NotPetya, Operation ShadowHammer, the infection of IoT devices running Windows 7, and the abuse of Kaspersky Lab software to steal NSA files.

A software supply chain attack occurs when threat actors manage to compromise a vendor’s environment and poison their software before it reaches customers, with the purpose of infiltrating the customers’ systems.

Once a vendor has been hacked, customers are compromised either through the acquisition of new, already infected software, or through the installation of malicious updates or hotfixes.

“These types of attacks affect all users of the compromised software and can have widespread consequences for government, critical infrastructure, and private sector software customers,” CISA and NIST note in a document titled Defending Against Software Supply Chain Attacks.

Common techniques that attackers use when launching software supply chain attacks include update hijacking, tampering with code signing, and the compromise of open-source code. Thus, the adversary may compromise a vendor’s update mechanism, hack signing systems or employ self-signing certificates, or add their own code to publicly accessible code libraries.

“Software supply chain attacks typically require strong technical aptitude and long-term commitment, so they are often difficult to execute. […] In general, advanced persistent threat (APT) actors are more likely to have both the intent and capability to conduct the types of highly technical and prolonged software supply chain attack campaigns that may harm national security,” CISA and NIST say.

Software supply chain compromise allows attackers to bypass in-place defenses for initial access, while also enabling them to gain persistent access to the targeted environment to perform financial theft, data exfiltration, cyber-espionage, to disable defenses, and even cause physical harm.

To mitigate the risks associated with supply chain attacks, network defenders should apply industry best practices before the attack occurs, CISA and NIST say. They also recommend that organizations use third-party software “in the context of a risk management program” that should include a formal, organization-wide C-SCRM approach.

The agencies also provide a series of recommendations on how organizations can prevent the acquisition of malicious or vulnerable software, on how to mitigate already deployed malicious or vulnerable applications, and on how organizations can increase resilience.

Defending Against Software Supply Chain Attacks also includes recommendations for software vendors, such as to implement and follow a software development life cycle (SDLC) and integrate a secure software development framework (SSDF) to ensure they won’t supply malicious or vulnerable software.

Related: Codecov Bash Uploader Dev Tool Compromised in Supply Chain Hack

Related: After Hack, Officials Draw Attention to Supply Chain Threats

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...