Threat actor playbooks: Who is targeting the IT supply chain & how
Opportunistic breaches are broad, often unsophisticated attacks that go after any vulnerable system, no matter who owns it. They rely on scanning for low-hanging fruit like misconfigured ports or unpatched software, hoping to land somewhere useful. In contrast, strategic attacks are deliberate, targeted intrusions. These are often carried out by Advanced Persistent Threats (APTs) or sophisticated cybercriminal groups aiming for long-term access, espionage, exfiltration, or systemic disruption. They can take months of quiet reconnaissance, custom malware development, and stealthy execution.
We have all seen the shift from random, opportunistic attacks to highly strategic supply chain intrusions. The SolarWinds breach immediately comes to mind. I actually spoke about it during an ISACA Houston event in November 2021.
These attacks are no longer just about quick financial gain. They’re about deep, persistent access, trust hijacking, and disrupting entire ecosystems.
In our hyperconnected world, where companies, vendors, MSPs, and integrators form the backbone of IT infrastructure, compromising one supplier can give attackers access to hundreds.
Real-world examples of strategic supply chain attacks
- SolarWinds (SUNBURST, 2020): Malicious code injected into Orion software updates gave attackers access to hundreds of downstream clients, including U.S. government agencies.
- 3CX Supply Chain Attack (2023): North Korea-linked actors compromised a VoIP software developer, using it as a pivot point into targets in crypto and aerospace.
- Kaseya (REvil, 2021): The breach of an RMM software vendor allowed ransomware to be deployed across thousands of SMBs, all via trusted software.
A glimpse of the perpetrators
Several nation-state APTs and criminal syndicates have adopted supply chain attacks as a core strategy. These actors don’t just attack systems, they target ecosystems.
Here are some of them:
- APT29 Cozy Bear (Russia): Tied to SolarWinds; known for deep reconnaissance, LOTL (Living Off the Land) tactics, and stealth
- Lazarus Group (North Korea): Behind the 3CX attack; blends espionage and financial motives
- Charming Kitten (Iran): Targets software developers and cloud platforms to reach dissidents and foreign entities
- REvil / Sodinokibi (Russia-linked): Used the Kaseya breach to scale ransomware delivery with precision
- Volt Typhoon (China): Focused on critical infrastructure and long-term access via software and telecom supply chains
Decoding their modus operandi: A view through the MITRE ATT&CK framework
Threat actors often follow a structured, multi-phase approach, well captured in the MITRE ATT&CK framework. Here are some of the key tactics and techniques often seen in software supply chain compromises:
Tactic | Technique | What It Means |
---|---|---|
Initial Access | T1195 – Supply Chain Compromise | Injecting malware into legitimate vendor builds or updates |
Execution | T1059 – Scripting/CLI | Using PowerShell, WMI, or shell scripts to run commands quietly |
Persistence | T1543 – Modify System Process | Maintaining access via startup scripts or registry edits |
Defense Evasion | T1027 – Obfuscation | Packing/encrypting payloads to hide from detection |
Credential Access | T1003 – Dumping Credentials | Extracting passwords from memory (e.g., LSASS) |
Lateral Movement | T1021 – Remote Services | Using RDP, SMB, or WinRM to spread within networks |
Command and Control | T1071 – Application Protocols | Communicating with C2 over HTTPS or DNS tunneling |
Exfiltration | T1048 – Alt Protocol Exfil | Using uncommon ports or encrypted channels to send stolen data |
Impact | T1486 – Data Encrypted for Impact | Deploying ransomware or wipers to disrupt systems |
In more advanced scenarios, attackers tamper with the software build process itself (T1584.002 – Compromise Software Supply Chain). Real-world cases include the following:
- CCleaner (2017):Attackers modified the installer in their dev pipeline
- ASUS ShadowHammer (2018–2019):Malware was inserted into their trusted update utility
- XcodeGhost (2015):A trojanized version embedded malware into thousands of iOS apps.
Defending against invisible infiltration
Supply chain attacks are asymmetric in nature, compromising one trusted vendor can infect hundreds.
Here are key lessons for defenders:
- Zero trust isn’t optional: Assume breach, even from your own suppliers. Enforce tight access control and continuous validation.
- Monitor your CI/CD pipeline: Your build process and dependencies can become attack surfaces. Watch them like you would production systems.
- Supplier risk = cyber risk: Go beyond paper-based assessments. Demand technical evidence of controls, especially for third-party software.
- Behavioral analytics > Signature detection: These threats often use signed malware or novel techniques; anomaly detection is critical.
- Threat hunt, always: Constantly look for hidden threats across endpoint, identity, and network layers to find the sleeper implants before they activate.
Staying ahead of supply chain attacks
Supply chain attacks are no longer rare, they’re a go-to playbook for well-funded, well-resourced actors. Understanding how these attackers operate, especially through frameworks like MITRE ATT&CK, helps us build smarter defenses. As attackers move upstream, defenders must move closer to the trust boundary, where relationships, code, and updates converge.