Privacy policy

Our website uses cookies to enhance your online experience by; measuring audience engagement, analyzing how our webpage is used, improving website functionality, and delivering relevant, personalized marketing content.
Your privacy is important to us. Thus, you have full control over your cookie preferences and can manage which ones to enable. You can find more information about cookies in our Cookie Policy, about the types of cookies we use on Atos Cookie Table, and information on how to withdraw your consent in our Privacy Policy.

Our website uses cookies to enhance your online experience by; measuring audience engagement, analyzing how our webpage is used, improving website functionality, and delivering relevant, personalized marketing content. Your privacy is important to us. Thus, you have full control over your cookie preferences and can manage which ones to enable. You can find more information about cookies in our Cookie Policy, about the types of cookies we use on Atos Cookie Table, and information on how to withdraw your consent in our Privacy Policy.

Skip to main content

Threat actor playbooks: Who is targeting the IT supply chain & how

 

Opportunistic breaches are broad, often unsophisticated attacks that go after any vulnerable system, no matter who owns it. They rely on scanning for low-hanging fruit like misconfigured ports or unpatched software, hoping to land somewhere useful. In contrast, strategic attacks are deliberate, targeted intrusions. These are often carried out by Advanced Persistent Threats (APTs) or sophisticated cybercriminal groups aiming for long-term access, espionage, exfiltration, or systemic disruption. They can take months of quiet reconnaissance, custom malware development, and stealthy execution.

We have all seen the shift from random, opportunistic attacks to highly strategic supply chain intrusions. The SolarWinds breach immediately comes to mind. I actually spoke about it during an ISACA Houston event in November 2021.

These attacks are no longer just about quick financial gain. They’re about deep, persistent access, trust hijacking, and disrupting entire ecosystems.

In our hyperconnected world, where companies, vendors, MSPs, and integrators form the backbone of IT infrastructure, compromising one supplier can give attackers access to hundreds.

Real-world examples of strategic supply chain attacks

  • SolarWinds (SUNBURST, 2020): Malicious code injected into Orion software updates gave attackers access to hundreds of downstream clients, including U.S. government agencies.
  • 3CX Supply Chain Attack (2023): North Korea-linked actors compromised a VoIP software developer, using it as a pivot point into targets in crypto and aerospace.
  • Kaseya (REvil, 2021): The breach of an RMM software vendor allowed ransomware to be deployed across thousands of SMBs, all via trusted software.

A glimpse of the perpetrators

Several nation-state APTs and criminal syndicates have adopted supply chain attacks as a core strategy. These actors don’t just attack systems, they target ecosystems.

Here are some of them:

  1. APT29 Cozy Bear (Russia): Tied to SolarWinds; known for deep reconnaissance, LOTL (Living Off the Land) tactics, and stealth
  2. Lazarus Group (North Korea): Behind the 3CX attack; blends espionage and financial motives
  3. Charming Kitten (Iran): Targets software developers and cloud platforms to reach dissidents and foreign entities
  4. REvil / Sodinokibi (Russia-linked): Used the Kaseya breach to scale ransomware delivery with precision
  5. Volt Typhoon (China): Focused on critical infrastructure and long-term access via software and telecom supply chains

Decoding their modus operandi: A view through the MITRE ATT&CK framework

Threat actors often follow a structured, multi-phase approach, well captured in the MITRE ATT&CK framework. Here are some of the key tactics and techniques often seen in software supply chain compromises:

Tactic Technique What It Means
Initial Access T1195 – Supply Chain Compromise Injecting malware into legitimate vendor builds or updates
Execution T1059 – Scripting/CLI Using PowerShell, WMI, or shell scripts to run commands quietly
Persistence T1543 – Modify System Process Maintaining access via startup scripts or registry edits
Defense Evasion T1027 – Obfuscation Packing/encrypting payloads to hide from detection
Credential Access T1003 – Dumping Credentials Extracting passwords from memory (e.g., LSASS)
Lateral Movement T1021 – Remote Services Using RDP, SMB, or WinRM to spread within networks
Command and Control T1071 – Application Protocols Communicating with C2 over HTTPS or DNS tunneling
Exfiltration T1048 – Alt Protocol Exfil Using uncommon ports or encrypted channels to send stolen data
Impact T1486 – Data Encrypted for Impact Deploying ransomware or wipers to disrupt systems

In more advanced scenarios, attackers tamper with the software build process itself (T1584.002 – Compromise Software Supply Chain). Real-world cases include the following:

  • CCleaner (2017):Attackers modified the installer in their dev pipeline
  • ASUS ShadowHammer (2018–2019):Malware was inserted into their trusted update utility
  • XcodeGhost (2015):A trojanized version embedded malware into thousands of iOS apps.

Defending against invisible infiltration

Supply chain attacks are asymmetric in nature, compromising one trusted vendor can infect hundreds.

Here are key lessons for defenders:

  1. Zero trust isn’t optional: Assume breach, even from your own suppliers. Enforce tight access control and continuous validation.
  2. Monitor your CI/CD pipeline: Your build process and dependencies can become attack surfaces. Watch them like you would production systems.
  3. Supplier risk = cyber risk: Go beyond paper-based assessments. Demand technical evidence of controls, especially for third-party software.
  4. Behavioral analytics > Signature detection: These threats often use signed malware or novel techniques; anomaly detection is critical.
  5. Threat hunt, always: Constantly look for hidden threats across endpoint, identity, and network layers to find the sleeper implants before they activate.

Staying ahead of supply chain attacks

Supply chain attacks are no longer rare, they’re a go-to playbook for well-funded, well-resourced actors. Understanding how these attackers operate, especially through frameworks like MITRE ATT&CK, helps us build smarter defenses. As attackers move upstream, defenders must move closer to the trust boundary, where relationships, code, and updates converge.

Share this article

X IconLinked-in Icon

Harman Bhogal

Head of Threat Management Practice, Atos

View detailsof Harman Bhogal >
  • Follow Harman  Bhogal on LinkedIn
 

Subscribe for regular insights

Thank you for your interest. You can download the report here.
A member of our team will be in touch with you shortly

More on Digital supply chains

How secure digital identities and zero touch onboarding are unlocking the future of OT cybersecurity

The anatomy of modern IT supply chain attacks

The hidden supply chain risks of AI workloads in the cloud

Three steps to managing secure third-party access in your supply chain

Unifying and securing the software supply chain with ASPM