Supply Chain Attacks Are Inevitable – Here’s How to Prepare for Them

Cybersecurity may be a top priority for the credit union industry, but there’s one looming threat that has been badly overlooked – the supply chain attack.

A recent wave of supply chain attacks by the Russian ransomware group known as “Cl0p” has brought more attention to this issue, but it’s important for credit union executives to realize this is not a short-term blip or passing phase in cybercriminal strategy. Supply chain attacks have been growing rapidly over the last few years and the problem is likely to get even worse, thanks to the rise in other associated trends such as ransomware-as-a-service and data extortion.

It’s estimated that over 60% of U.S. businesses have already fallen victim to a supply chain attack in the last year, according to a Capterra report. However, the actual number may be even higher, since it frequently takes time for companies to detect a third-party breach.

Credit unions are an ideal target for these attacks, since they store valuable financial and personal data on their members and often have less security resources available than a larger financial institution.

Here’s what you need to know about this threat:

What Is a Supply Chain Attack?

Supply chain attacks occur when criminal hackers target a third-party supplier of goods and services, which allows them direct and unauthorized access to a credit union’s systems and/or data. Common examples of third-party suppliers include software providers, development libraries and organizations that have access to your environment – such as managed service providers (MSPs), HVAC services and monitoring.

In recent years, there has been a significant increase in supply chain attacks by ransomware groups and other cybercriminals since these attacks can be highly profitable. By simply targeting one key supplier, a ransomware gang can quickly infect dozens to even thousands of other victims. For example, MSPs have access to all their clients’ systems. If an attacker compromises an MSP, they have easy access to hundreds of client networks. File transfer software is another popular target among supply chain hackers, which can lead to thousands of downstream infections. Similarly, any software provider that has a backdoor in its products can expose a huge number of organizations that rely on this software. When this occurs, attackers have access to any system the software is installed onto.

These attacks pose an ongoing threat to the financial industry. Here are just a few recent examples:

• SolarWinds Backdoor (December 2020): A backdoor was placed into the SolarWinds Orion software in February 2020 and installed by thousands of organizations before it was discovered in December 2020. The attackers who placed the backdoor had almost unfettered access to organizations through SolarWinds for months.
• Kaseya Ransomware (July 2021): The REvil ransomware group compromised Kaseya VSA, a cloud service used by many MSPs to remotely manage their client’s networks and systems. Since REvil compromised Kaseya VSA itself, they were able to deploy ransomware into thousands of organizations across the globe at once.
• NCR Breach (April 2023): NCR suffered a ransomware attack on its Alpha POS and back-office applications by the BlackCat/AlphaV ransomware group. Alpha POS systems were down for several days, crippling many in the restaurant industry.
• MOVEit Transfer (June 2023): An unknown vulnerability in this popular file transfer software was exploited by the Cl0p ransomware group several days before any patch was available. Data was stolen from many organizations. Due to the newness of this attack, the full extent of damage may not be known for several months.

Where Are Credit Unions Most Vulnerable?

Supply chain attacks can happen to any organization at any time. Every business utilizes software written by someone else and services provided by an outside company – and credit unions are certainly no exception.

There are several areas where credit unions are particularly vulnerable to a supply chain attack. Third-party suppliers frequently have internal access to their clients’ networks for management and maintenance purposes, which means even if a credit union is doing everything else right security-wise, it may still have a gaping hole in its network.

If a credit union uses ATMs or POS terminals, it may connect back to their distributors for maintenance or need to connect to cloud-based services to function. Credit unions often write some of their own software; however, the programming libraries they use during the development process may contain hidden vulnerabilities or back doors, which attackers can exploit. Cloud services are often used by credit unions for storing and processing data. If these cloud services were to be breached, the credit union and its members’ data would be at risk.

How to Prepare for These Attacks

There are many steps a credit union can take to prepare for and respond to a supply chain attack. However, plans for these steps need to be made now. If an organization waits until the middle of an incident to figure out what to do, it’s too late.

Plans concerning supply chain attacks can be broken up into two categories: Those related to controls and standards put on a third-party that a credit union does business with, and those that dictate how a credit union will respond to a breach – internal or otherwise. Standards, processes and procedures that credit unions should put in place to ensure they are prepared for a supply chain attack include:

• Establishing a third-party risk management program that evaluates the security of providers before using their services, sets security standards they must meet and audits them on a regular basis.
• Including language within contracts to be notified within a specific time of a breach of the third-party and/or the credit union’s data.
• Monitoring the security of the providers you do business with. Ensure that you’ll know if they are breached or if a vulnerability is found in their software.
• Classify your data, document who has it and what data they have. This will ensure that if there is a third-party breach, it can be quickly determined what is at risk.

Credit unions should also establish the processes and procedures to be able to effectively react to breaches when they occur. Steps that can be taken now to reduce the impact of a breach and provide faster resolution include:

• Creating an incident response plan that defines how the organization reacts to an incident, what internal team responsibilities are and who should be contacted.
• Monitoring the internal environment for security anomalies, investigating alerts, and quickly responding to internal incidents.
• Generating communications guidelines that define internal and external communications and who performs them, and creating templates or holding statements that can be quickly modified during an incident.
• Establishing third-party relationships to assist during an incident. This includes cyber insurance, an incident response retainer, legal counsel and crisis communications.
• Having a patch management program that ensures vulnerabilities in software are patched quickly.
• Fostering a culture of security within the organization, educating employees and providing methods they can report security incidents without fear of repercussions.

Unfortunately, supply chain breaches – originating internally or at third-party providers – are inevitable. This is even more concerning given the sensitive data that credit unions hold. However, preparing for breaches now will ensure that credit unions can respond quickly, limit their impact and recover with little, if any, downtime.

Tyler Hudak is incident response practice lead for the Fairlawn, Ohio-based TrustedSec, which provides “ethical hacking” and cyber incident response services to the financial services industry and other sectors.