The increasing connectivity between businesses means cybercriminals are continuously finding new ways to infiltrate company networks. If there is a vulnerability somewhere in the digital supply chain, the chances are a hacker will be able to uncover it.

Author: Johnty Mongan


Cybercriminals target supply chains to reach as many victims as possible in a single hit. As supply chains can be large and complex, it can be difficult to know if you have sufficient protection in place. An increasing number of organisations are suffering cyber-attacks via their supply chains or via their providers of IT services. This is largely because attackers are able to take advantage of customers’ trust in their suppliers and exploit digital vulnerabilities.

What is a supply chain cyber-attack?

A supply chain cyber-attack occurs when threat actors access a company’s network via suppliers or a third-party provider (the ‘digital supply chain’). Because the third party has been given the permissions to use areas of the company’s network, applications or sensitive data, an attacker can gain access to these areas too if they are able to penetrate the third party’s defences. The distribution of malware (malicious software) is a common result of a supply chain attack.

Why are cyber-attacks on supply chains becoming more common?

The role of managed service providers (MSPs) in providing IT services such as security monitoring and digital billing makes them attractive targets for cybercriminals. Cyber-attacks on supply chains are becoming more common as they enable threat actors to target larger numbers of victims all at once, i.e., an attack on one business may give access to hundreds—or even thousands—of their customers, having a more widely-propagated impact.

4 in 5 software supply chains were exposed to a cyber-attack or vulnerability in the last 12 months.ii

Types of supply chain cyber-attacks


Hackers may attack a software company’s system, target an application’s source code and insert their own malicious code into the software. Any company that goes on to use this software would be a potential target because the product has been compromised.


This type of attack can happen through compromised physical devices, such as USB drives. The hacker can get to work when the device installs an application to allow access to the network. Once in, they will target a network device to infiltrate supply chain systems and cause widespread damage.


Firmware attacks target a computer’s booting code. When this malware has been surreptitiously loaded into a computer, the malicious code is executed as soon as the computer boots up, jeopardising the entire system or network.

Malware preinstalled on devices

Hackers can put malware on phones, USB drives, cameras, and other mobile devices. When the device is connected to a system or network, malicious code is introduced with the ability to take over devices and download apps in the background. Manufacturers of budget devices who rely on third-party software can be particularly susceptible to this type of attack.

Stolen certificates

Certificates are used to vouch for the legitimacy or safety of a company’s product. If a hacker steals a certificate, they can peddle malicious code under the guise of that company’s certificate.

Website builders

By attacking the core script of a website template of a creative or digital agency that builds websites for their clients, cybercriminals can target these end clients and compromise their websites.

Watering hole attacks

This type of attack works by identifying a website that is frequented by users within a targeted organisation or sector. That website is then compromised to enable the distribution of malware. Typically, the malware delivered will be a Remote Access Trojan (RAT), enabling the attacker to gain remote access to the target’s system.

Just over 1 in 10 organisations review the cyber risks posed by immediate suppliers.iii

Examples of major supply chain cyber-attacks

Kaseya ransomware attack, 2021

Network management software firm, Kaseya, was the target of a ransomware gang who was able to breach the company’s remote monitoring and management package, Virtual Administration Assistant (VSA), via an authentication bypass vulnerability. Within days, up to 1,500 downstream customers had been affected by the attack through downloads containing malware.

Log4j vulnerability, 2021

Apache Log4j is one of the many building blocks that are used in the creation of modern software and is used by millions of computers worldwide running online services. A vulnerability was discovered that could allow attackers to break into systems, steal passwords and logins, extract data and infect networks with malicious software.

SolarWinds hack, 2020

When attackers hacked SolarWinds, a major software company, SolarWinds unknowingly began to send out their Orion Platform software updates with hacked code. This triggered a huge supply chain incident that compromised the data, networks and systems of up to 18,000 organisations, including U.S. government agencies.

In each of these cases, a single breach, compromise or vulnerability in distributed code led to thousands of victims—an easy win for cybercriminals.

62% of supply chain attacks rely on the distribution of malwareiv

How to strengthen your digital supply chain

It is important for organisations to work with their suppliers to identify potential supply chain risks and ensure appropriate cybersecurity measures are in place, and all suppliers should be incorporated into your organisation’s security verification.

Endpoint Detection and Response (EDR) can play a vital role in protecting your organisation from supply chain attacks as it continuously monitors endpoint activity to let you know when an attack has occurred, its attack path and the actions it took. An integrated approach to cybersecurity—combining key EDR with anti-virus software and Multi-Factor Authentication (MFA)—can further strengthen your defences.

For specialist advice regarding your potential supply chain vulnerabilities or any other aspect of your organisation’s cyber risk, please get in touch with the Cyber Risk Management team.

Author Information


The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher Insurance Brokers Limited accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.