An EU agency predicts that the number of software supply chain attacks will increase fourfold in 2021 compared to 2020.
The European Union Agency for Cybersecurity (ENISA) study examined the nature of a supply chain attack and how it affected operations in recent months. The ‘Threat Landscape for Supply Chain Attacks’ report looked at 24 supply chain attacks that occurred from January 2020 to July 2021.
According to the findings of the ENISA, about 50% of the supply chain attacks were attributed to known APT groups, and 42% remained unattributed.
The study revealed that the main motivations of attackers were to gain access to sensitive information and source code.
The EU-funded study came in the wake of two major supply chain attacks that have made headline news in the past 12 months, attacks on SolarWinds and Kaseya VSA. The agency noted that these two incidents are not isolated cases, and the number of supply chain attacks has been steadily increasing.
“This trend further stresses the need for policymakers and the security community to devise and introduce novel protective measures to address potential supply chain attacks in the future and to mitigate their impact,” the report stated.
The report said that 66% of supply chain incidents were caused by the exploitation of an unknown vulnerability, while 16% of attacks targeted known software flaws.
Most attacks against supplier assets were focused on compromising code (66%), extracting sensitive information (20%), and processes (12%).
The report also proposed establishing a taxonomy for identifying supply chain attacks. It will take into account the supplier and the customer, what assets were targeted and what techniques were used to gain access.
“For each of these four distinguishing elements in the taxonomy, we have defined the elements that better characterize a supply chain attack,” the report states. “By selecting the corresponding elements, it is possible to have a better understanding of what is known or not known about an attack.”
The authors noted that the taxonomy is conceptually different from Mitre ATT&CK and aims to complement rather than displace it.
The authors of the report concluded by stating that they estimate that four times more supply chain attacks will happen in 2021.
The report urges EU member states “establish good practices” and coordinated actions “to reach a common level of security”.
