Software supply chain incidents have been making headlines recently. Despite similarities among these security incidents, not all supply chain attacks are created equal.
The umbrella term “supply chain attack” covers any instance where an attacker interferes with or hijacks the software manufacturing process (software development lifecycle) such that multiple consumers of the finished product or service are impacted detrimentally. This can happen when code libraries or individual components being used in a software build are tainted, when software update binaries are Trojanized, code-signing certificates are stolen, or even when a server hosting software-as-a-service (SaaS) is compromised.
With any software supply chain attack, attackers interject themselves either upstream or midstream to cast their malicious activities and their after-effects downstream to many users. As such, compared to an isolated security breach, successful supply chain attacks are of a much a larger scale with a far-reaching impact.
Here we examine six different techniques used in recent real-world, successful software supply chain attacks.