Security Bloggers Network 
SBN

A (Partial) History of Software Supply Chain Attacks

by Paul Roberts on June 8, 2022

A (Partial) History of Software Supply Chain Attacks

The widespread campaign of software supply chain attacks that has become known as the “SolarWinds attack” began in 2020, and unofficially elevated software supply chain security to the top echelon of cyber risks to both government and the private sector. Subsequent events, like the emergence of the Log4Shell vulnerability in the Log4j2 open source library, underscored that software supply chain risk is for real.
But if you are thinking that software supply chain threats and attacks are a new problem plaguing software companies and their customers, you are wrong. In fact: software supply chain attacks have been with us for years — decades even — though they haven’t always demanded the kind of attention and response they are now receiving.

Here is a list of known software supply chain attacks, compiled from public records and reporting. This list is incomplete. First: it is likely that there have been supply chain attacks that have not been made public. Second, these attacks are ongoing, making any accounting of software supply chain attacks incomplete. Finally, opinions on what constitutes a software supply chain attack can differ from expert to expert. Others may use a more liberal definition of what is and is not a “supply chain” attack than we have and, thus, end up with a longer list of incidents.

[ See key takeaways from a survey of more than 300 security pros on software supply chain security. And download the related free report: Flying Blind: Firms Struggle to Detect Software Supply Chain Attacks ]

A Chronology of Software Supply Chain Attacks

Below is a list of known (documented, reported) attacks involving compromises of software supply chains.

Did we miss something? Let us know

If you notice that we have omitted a supply chain attack from our partial history, please let us know and, if possible, send corroborating evidence (links to public records, press coverage, social media posts, etc.) that we can use to verify your claim. We would be happy to update our list as new information becomes available.

Sources:

https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf
https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
https://www.washingtonpost.com/graphics/2020/world/national-security/cia-crypto-encryption-machines-espionage/
https://unredacted.com/2013/04/26/agent-farewell-and-the-siberian-pipeline-explosion/ https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html https://www.cybereason.com/blog/deja-vu-what-do-notpetya-and-solarwinds-have-in-common https://apnews.com/article/8b02768224de485eb4e7b33ae55b02f2
https://apnews.com/article/ap-top-news-theft-indictments-china-hacking-05aa58325be0a85d44c637bd891e668f
https://securelist.com/operation-applejeus/87553/
https://www.kaspersky.com/blog/copay-supply-chain-attack/24786/
https://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm
https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/
https://www.darkreading.com/threat-intelligence/chinese-malware-found-preinstalled-on-us-government-funded-phones
https://duo.com/decipher/malware-infects-netbeans-projects-in-software-supply-chain-attack https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/ https://www.darkreading.com/attacks-breaches/chinese-software-company-aisino-uninstalls-goldenspy-malware
https://securityboulevard.com/2021/10/solarwinds-accellion-breaches-supply-chain-attacks-wreaking-havoc/
https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/ https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/ https://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/
https://www.twilio.com/blog/avoiding-dependency-confusion-attacks https://www.helpnetsecurity.com/2020/07/23/twilio-malicious-sdk/
https://threatpost.com/mimecast-certificate-microsoft-supply-chain-attack/162965/ https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/
https://www.bankinfosecurity.asia/mongolian-certification-authority-monpass-breached-a-16990 https://thehackernews.com/2021/02/russian-hackers-targeted-ukraine.html https://www.bleepingcomputer.com/news/security/new-xcodespy-malware-targets-ios-devs-in-supply-chain-attack/
https://www.cpomagazine.com/cyber-security/aviation-it-giant-sita-breached-in-extensive-supply-chain-attack-frequent-flier-programs-of-major-airlines-compromised/
https://securityboulevard.com/2021/03/verkada-surveillance-hack-breach-highlights-iot-risks/
https://techcrunch.com/2021/08/04/passwordstate-supply-chain-attack/
https://www.reuters.com/technology/codecov-hackers-breached-hundreds-restricted-customer-sites-sources-2021-04-19/
https://www.theregister.com/2021/05/27/fujitsu_projectweb_supply_chain_attack/
https://blog.kraken.com/post/5590/kraken-security-labs-supply-chain-attacks-against-ledger-nano-x/
https://www.cybersecurity-help.cz/blog/2146.html
https://www.zdnet.com/article/updated-kaseya-ransomware-attack-faq-what-we-know-now/
https://www.theregister.com/2021/07/07/synnex_rnc_microsoft_attack/
https://www.sonatype.com/resources/vulnerability-timeline
https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf
https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf
https://www.atlanticcouncil.org/in-depth-research-reports/report/breaking-trust-shades-of-crisis-across-an-insecure-software-supply-chain/
https://blog.sonatype.com/what-constitutes-a-software-supply-chain-attack
https://www.bleepingcomputer.com/news/security/researcher-hacks-over-35-tech-firms-in-novel-supply-chain-attack/
https://www.bleepingcomputer.com/news/security/malicious-rubygems-packages-used-in-cryptocurrency-supply-chain-attack/
https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets
https://blog.sonatype.com/a-new-0-day-log4j-vulnerability-discovered-in-the-wild?hsLang=en-us https://www.bleepingcomputer.com/news/security/fintech-firm-hit-by-log4j-hack-refuses-to-pay-5-million-ransom/
https://blog.sonatype.com/3-million-cryptocurrency-heist-malicious-github-commit?hsLang=en-us
https://arstechnica.com/information-technology/2018/10/two-new-supply-chain-attacks-come-to-light-in-less-than-a-week/
https://www.zdnet.com/article/bankbot-android-malware-sneaks-into-the-google-play-store-for-the-third-time/
https://www.itworldcanada.com/article/canadian-cyber-firm-confirms-it-was-the-victim-described-in-rsa-investigation/390903
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/124/trend-micro-investigates-june-25-cyber-attacks-in-south-korea
https://www.eset.com/int/about/newsroom/press-releases/research/eset-uncovers-operation-nightscout-cyberespionage-supply-chain-attack-on-gamers-in-asia/

*** This is a Security Bloggers Network syndicated blog from ReversingLabs Blog authored by Paul Roberts. Read the original post at: https://blog.reversinglabs.com/blog/a-partial-history-of-software-supply-chain-attacks

Paul Roberts ,