AlignTrust
Threats & Attacks

Supply Chain Attack

An attack that targets a less-secure element in an organisation's supply chain — a vendor, software provider, or partner — to gain access to the ultimate target.

What Is a Supply Chain Attack?

A supply chain attack (also called a value chain or third-party attack) occurs when an attacker compromises a target organisation indirectly — by first compromising a vendor, software provider, or partner that has trusted access to the target.

Instead of attacking the well-defended target directly, the attacker finds a weaker link in the chain: a software update mechanism, a managed service provider (MSP), a contractor's credentials, or a shared component. Once inside the supply chain entity, the attacker can pivot to the ultimate target.

Landmark Supply Chain Attacks

SolarWinds (2020): Attackers compromised SolarWinds' build system and inserted malware into legitimate software updates. Around 18,000 organisations — including US government agencies — installed the trojanised update, giving attackers persistent access.

3CX (2023): A malicious update to 3CX's VoIP software (which was itself compromised via another supply chain attack on Trading Technologies) affected hundreds of thousands of systems.

MOVEit (2023): A zero-day vulnerability in the MOVEit file transfer software was exploited to steal data from thousands of organisations globally.

Why Supply Chain Attacks Are Effective

  • Victims trust updates and software from known vendors
  • Attackers can compromise many targets through a single breach
  • Traditional perimeter security doesn't help — the attack comes through a trusted channel
  • Detection is extremely difficult — malicious code runs as part of legitimate software

Defending Against Supply Chain Attacks

  1. Vendor security reviews: Assess the security posture of all vendors with access to your systems
  2. Least privilege for vendor access: Give vendors only the access they need, scoped tightly
  3. Software bill of materials (SBOM): Understand what components are in your software dependencies
  4. Network segmentation: Limit what vendor-connected systems can reach
  5. Monitoring and anomaly detection: Unusual behaviour from trusted software or vendors should trigger alerts
  6. Zero trust principles: Verify every connection, even from trusted vendors

Related Terms

Vendor Risk ManagementThird-Party RiskZero Trust ArchitectureIncident Response

Related Articles

← Back to Security Glossary