From SolarWinds to Kaseya: The rise of supply chain attacks in a digital world

Introduction

Friday, July 2, 2021, was another summer day in Stockholm. The local grocery store was packed as the customers were shopping for the weekend. Anna went through her shopping list again to ensure she had gotten everything for her upcoming birthday. At the checkout counter, the cashier greeted her and quickly started scanning the items, yet only after a few seconds they suddenly looked confused, staring at the monitor in front. After pressing a few buttons on the touch screen, the cashier looked at Anna and stated apologetically that something was wrong with the machine. ‘I need to call the IT guys. Can you go to the next cashier?’ the cashier continued, but hardly before the sentence was finished, Magnus, from the next cashier, looked at them and said: ‘My machine doesn’t work either…’. Anna looked at them curiously and wondered how it was possible that the two cash registers had stopped working at the same time and exactly now that she was in a hurry.

The answer took little time to reach the news. Swedish grocery store brand Coop was one of the over 800 victims of a large-scale cyberattack targeting Kaseya, a software provider developing network monitoring solutions. The attack caused widespread disruptions to railways, pharmacy chains, and governmental agencies and even led to the closure of many schools and kindergartens. Unfortunately, the Kaseya attack, alongside SolarWinds (Datta, 2022; Datta and Acton, 2023), are only two of the recent well-coordinated and targeted attacks toward suppliers which influenced millions of customers globally. Recent reports show that attackers have shown an increasing interest in conducting supply chain attacks, which is expected to become the most common type of cyberattack by 2030 (ENISA, 2023). In a supply chain attack, a combination of two or more attacks compromises the information security of suppliers and their customers. The first attack is launched to gain access to a supplier’s assets, which are then used in consequent attacks on the supplier’s customers which can be suppliers themselves (ENISA, 2021).

Supply chains today rely heavily on information technologies, including emerging trends such as Industry 4.0, blockchain, logistic drones and robotics, and e-commerce (Cheung et al., 2021). However, adopting digital technologies also increases the supply chain’s susceptibility to cyberattacks, sparking heated discussions about supply chain cybersecurity and risk management. To that end, supply chain cybersecurity and risk management have become ever more important areas for organisations and policymakers (Melnyk et al., 2022). For instance, the U.S. Cyber Supply Chain Management and Transparency Act and the European Union’s Cyber Resilience Act emphasise the need for stricter measures and enforcement requirements to address the security of supply chains.

Despite the growing awareness of supply chain attacks and their severe impact, substantial efforts and investments are needed to address supply chain cybersecurity. In this teaching case, we propose a taxonomy of cyberattacks and provide a better understanding of supply chain attacks to contribute to addressing supply chain cybersecurity.

Cyberattacks

Information security aims to ensure the confidentiality, integrity, and availability of information systems resources and assets (Andress, 2014). A successful cyberattack by hostile actors can compromise these objectives and disrupt an organisation’s value-generation capabilities and business operations. A cyberattack can harm or even destroy information system resources and data assets as reflected in the following definition provided by the National Institute of Standards and Technology (Ross, 2012, pp. B-3): ‘An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information’.

As the definition implies, a cyberattack has at least four elements: attacker, attack technique, targeted asset, and the purpose of attack. According to the Threat Landscape Report published by the EU Agency for Cybersecurity (ENISA) attackers or threat agents can be divided into four main groups: cybercriminals, state-sponsored hackers, hacker-for-hires, and hacktivists (ENISA, 2023). Depending on their identity, these attackers have various financial, ideological, and geopolitical motivations. For instance, while monetisation is the primary motivation for cybercriminals and hacker-for-hires, attacks launched by hacktivists are often backed by ideological reasons. State-sponsored hackers, often driven by geopolitical motives, mainly aim to steal sensitive and classified information (i.e. espionage) or cause large-scale disruptions or destructions to public services and critical infrastructures.

Based on their purpose and influence on the security objectives, we have four types of attacks. In interception, an attacker aims to compromise confidentiality by obtaining unauthorised access to assets. In interruption, an attacker aims to compromise availability by making assets unusable or unavailable for use. Modification involves attempts to compromise integrity by tampering with assets and making unauthorised changes to them. Finally, in fabrication, attackers aim to misuse a system’s legitimate functionalities to perform malicious activities, such as generating false data or communications (Andress, 2014). Thus, fabrication could compromise both the integrity and availability of assets.

Attackers use various techniques to leverage technology (e.g. software defects), human (e.g. unaware users), physical (e.g. faulty locks), or procedural vulnerabilities (e.g. defective access control policy) and compromise the security of a computing environment or digital infrastructure (Ghanbari and Koskinen, 2024). They can use injection attacks (e.g. SQL injection) to compromise software systems, use Denial of Service (DoS) attacks to disrupt our network’s traffic or target our employees with phishing and social engineering attacks.

Depending on their primary target sectors, cyberattacks can have economic (i.e. direct or indirect financial loss), reputational (i.e. negative publicity or public perception), digital (i.e. any kind of damage to systems and data), physical (i.e. any kind of injury or harm to stakeholders), or societal (i.e. any effect on the public or society) impact on their victims. For instance, while the Vastaamo data breach (Ghanbari and Koskinen, 2024) had economic and reputational damage to the psychotherapy clinic, it also had a physical impact to some of the patients and social damage to the Finnish society.

Supply chain cybersecurity

In today’s global market, where a firm’s value creation capability depends on its network of partners and suppliers, our digital infrastructures are heavily interconnected with many other systems and cyber-physical ecosystems. As we collaborate with partners and service providers, the attack surface of our digital infrastructure increases, making us and our partners more vulnerable to cyberattacks. Security interdependence implies that since all these systems and components are interrelated, failure to protect each could compromise a firm’s or supply chain’s overall information security (Raggad, 2010).

Supply chain refers to the ecosystem of processes, people, organisations, and distributors involved in creating and delivering a final solution or product (Beamon, 1998). While a buyer-supplier relationship can be seen as a simple supply chain, most are complex, multi-tier, and span different industries. Due to the complex nature of a supply chain, a cyberattack compromising a supplier’s assets, can disrupt the whole supply chain’s operations and lead to significant financial loss for them and their stakeholders (Simon & Omar, 2020). For instance, the 2017 malware attack on Maersk, the world’s largest shipping conglomerate, disrupted global shipping and caused billions of direct and indirect damages for Maersk and its customers. Such attacks have sparked heated discussions about supply chain cybersecurity. Supply chain cybersecurity relies on technology, procedures, and people to protect a digital infrastructure against agents aiming to exploit weaknesses in the supply chain (Melnyk et al., 2022). It covers a broad spectrum, from sourcing and vendor management to supply chain continuity, quality, and other functions requiring a coordinated effort (Wong et al., 2022).

A report by ENISA (2023) demonstrates that, although 86% of the surveyed organisations implemented supply chain cybersecurity policies, only 24% have dedicated roles and responsibilities for it. Alternatively, while 61% of the organisations require supplier security certification, only 37% demonstrate due diligence or risk assessment. The report proposes a set of best practices on supply chain cybersecurity covering five areas, including strategic corporate approach, supply chain risk management, supplier relationship management, vulnerability handling, and the quality of products and practices for suppliers and service providers. The report concludes that the good practices should cover diverse entities participating in the supply chain, indicating a collaborative and corporate-wide supply chain management system based on the organisation’s performances in the abovementioned areas. To this end, information sharing with other operators and national authorities could be beneficial for deploying more in-depth defence strategies.

Supply chain attack

With increased security interdependence across supply chains, attackers have shown increasing interest in conducting supply chain attacks. In a supply chain attack, a combination of two or more attacks compromises the information security of suppliers and their customers. The first attack is launched to gain access to a supplier’s assets, which are then used to launch attacks on the supplier’s customers or another supplier (ENISA, 2021). For an attack to be classified as a supply chain attack, both the supplier and customer must be targeted. As such, supply chain attacks leverage the security interdependence of an interconnected network of suppliers, customers, and consumers. These attacks are usually complex and take several months to plan and launch, they often go undetected for a long period. The attackers often focus on compromising suppliers’ code and software to launch further attacks on customers, which rely on malware and customers’ trust in suppliers as primary attack techniques (ENISA, 2021).

By conducting supply chain attacks, attackers can exploit vulnerabilities and breach data from an upstream node, impacting numerous customers through compromised supplier systems. This can result in significant logistical disruptions, system downtimes, damage to brand reputation and customer trust, financial loss, data breaches, and potential legal disputes (Simon & Omar, 2020). Therefore, we must consider information security in all business decisions concerning new partnerships or existing service providers, suppliers, and acquisitions. We must also understand and be ready for the consequences of a situation where one of these service providers or partners’ security is compromised.

Based on the above discussion, we propose a taxonomy of cyberattacks (see Table 1), which can be used to conduct a lightweight analysis of different types of attacks, including supply chain attacks. The taxonomy can be used alongside other tools such as the cyber kill chain (Lockheed-Martin, 2015) which are more suitable for conducting an in-depth analysis of cyberattacks. Our proposed taxonomy enables students, researchers, and practitioners to quickly analyse the key dimensions of an attack, summarise the results of their analysis, and present their findings in a concise and user-friendly manner. This is especially useful for presenting a concise overview of cyberattacks to executives and directors, who are often considered too busy to read long technical reports.

OPEN IN VIEWER

Table 1.

A Taxonomy of Cyberattacks.

Dimension	Characteristics
Attacker(s)	1. Cybercriminals, 2. State-sponsored hackers, 3. Hacker-for-hires, 4. Hacktivists
Purpose(s)	1. Interception, 2. Interruption, 3. Modification, 4. Fabrication
Motivation	1. Monetisation, 2. Ideological, 3. Espionage, 4. Geopolitical
Exploited vulnerabilities	1. Technology, 2. Human, 3. Physical, 4. Procedural
Attack techniques used on supplier	1. Malware infection, 2. Social engineering, 3. Brute-force, 4. Exploiting software vulnerability, 5. Exploiting configuration vulnerability, 6. Exploiting trusted relationships, 7. Drive-by compromise, 8. Physical attack or modification, 9. Counterfeiting, 10. Open-Source Intelligence
Supplier assets targeted	1. Software (including code & libraries), 2. Financial, 3. Data (i.e. internal, confidential, secret), 4. Processes, 5. Hardware, 6. People, 7. Intellectual property
Attack techniques used on customer a	1. Malware infection, 2. Social engineering, 3. Brute-force, 4. Exploiting software vulnerability, 5. Exploiting configuration vulnerability, 6. Exploiting trusted relationships, 7. Drive-by compromise, 8. Physical attack or modification, 9. Counterfeiting, 10. Open-Source Intelligence
Customer assets targeted a	1. Software (including code and libraries), 2. Financial, 3. Data (i.e. internal, confidential, secret), 4. Processes, 5. Hardware, 6. People, 7. Intellectual property
Impact	1. Economic, 2. Reputational, 3. Digital, 4. Societal, 5. Physical
Scope of impact	1. Amount of financial costs, 2. Changes in stock market, 3. Number of affected customers/users

Cyber kill chain

Developed by (Lockheed-Martin, 2015), the cyber kill chain is a framework utilised to describe and analyse cyberattacks, usually to develop an organization’s incident response and analysis abilities. It consists of seven sequential stages to complete a cyberattack. In other words, it seeks to show the path to penetrate and attack an information system. The kill chain is a tool used by, for instance, incident response teams and malware analysts to present actual events and possible scenarios in addition to planning defensive measures to counter cyberattacks (Yadav and Rao, 2015). Figure 1 presents the different stages in the cyber kill chain and briefly describes their meaning.OPEN IN VIEWER

Despite its seeming simplicity, each stage in the chain provides researchers and practitioners with vast areas to investigate and design countermeasures. Overall, the cyber kill chain offers a framework to dissect even complicated attacks into smaller pieces and problem areas and assess those while allowing the defenders to design defensive and mitigating measures for each stage separately (Lockheed-Martin, 2015). As a result, it provides an effective tool for investigating cybersecurity attacks such as SolarWinds and Kaseya, also enabling their comparison.

Kaseya Attack

Kaseya, a provider of IT management software that develops solutions for network monitoring, system monitoring, and other IT applications, offers Virtual System Administrator (VSA), a software platform enabling IT teams to monitor, manage, and secure both on-premises and cloud-based IT environments for their customers. Kaseya primarily serves Managed Service Providers (MSPs), who offer IT management services to small and medium-sized businesses. ¹ If compromised, these MSPs’ IT services can cause significant business disruptions for themselves and their customers and lead to substantial financial losses. The potential for infecting a massive number of downstream customers was not lost by the threat actor, which targeted Kaseya and launched a supply chain ransomware attack. ²

On July 2, 2021, the US-based information technology company Kaseya received customer reports indicating that their on-premises administrative software detected suspicious behaviours on checkout endpoints. Shortly after the alert, Kaseya discovered ransomware was being executed on endpoints. The incident response team immediately instructed customers to shut off their VSA​.

Shortly after the ransomware attack was disclosed, the Russian-based group known as REvil (or ‘Sodinokibi’) claimed responsibility for the attack. ³ Operating since 2019, this cybercriminal group had carried out multiple high-profile ransomware attacks on large enterprises using an elusive and dangerous ransomware known as REvil. It posed a significant threat to governments and organisations worldwide, resulting from its development of the Ransomware-as-a-Service (RaaS) business model. ⁴ Upon claiming the crime targeting Kaseya and its customers, REvil demanded 70 million dollars in Bitcoin from Kaseya in exchange for a universal decryption key that unlocks the encrypted individual files. In response, the White House announced on July 8 that a further ransomware-focused meeting between the US and Russian governments was held to urge the Russian government to act against these criminal activities within its border. ⁵

Kaseya estimated that the cyberattack had directly compromised approximately 60 of its MSP customers who used the VSA. This subsequentially impacted between 800 to 1500 businesses (i.e. customers of MSPs), including 145 identified victims in the US and numerous international business networks. As noted above, among the victims was the Swedish grocery store brand Coop, which had to close hundreds of storefronts due to their inoperative cash registers. ⁶ The aftermath also caused widespread disruptions to railways, pharmacy chains, and governmental agencies and even led to the closure of many schools and kindergartens in New Zealand.

Before the attack, in early April 2021, the Dutch Institute of Vulnerability Disclosure (DIVD) had informed Kaseya that they had found seven vulnerabilities in the VSA systems. While Kaseya was able to fix four of them before the attack was revealed in July, ⁷ one of the remaining vulnerabilities regarding a credentials leak and business logic flaw was exploited by the attackers. In other words, a design flaw in the system enabled unauthorised acquisition of login credentials that provided system access, later to be used in the attack. ⁸ It is unclear how the attackers uncovered these vulnerabilities, yet that could have occurred by conducting vulnerability scans on Kaseya’s software or gathering information about potential victims’ business relationships that could be used in phishing attacks. Whatever those were, the discovery of vulnerabilities allowed the attackers to identify possible delivery methods for payloads (i.e. malware and injection channels) and determine potential targets.

Once attackers had circumvented the authentication process on the Kaseya VSA web interface, gaining the highest level of access of an MSP, REvil could now deploy its payload dropper, that is, software designed to deliver the malware, without scrutiny. ⁹ The hackers sent a request to multiple servers that contained the malicious payloads and accessed the compromised on-premises MSP VSA servers to upload two files (i.e. agent.crt and Screenshot.jpg) to the customer’s managed devices. Additionally, the attackers leveraged a SQL injection vulnerability via the Screenshot.jpg file, indicating that the attackers used SQL injection as a secondary channel for malware delivery. ¹⁰

After delivery, the malicious payloads led to the creation of a procedure on the infected machines disguised as an update labelled as ‘Kaseya VSA Agent Hot-fix’. The procedure disabled the security perimeter and functionalities of Windows Defender, duplicated and masqueraded the Windows certutil.exe decoding utility, decoded the payload contained in the agent.crt file, and saved it as an authenticated executable agent.exe in the Kaseya working folder. Finally, both the agent.crt and the deciphered file were deleted before moving on to the latter phases of the attack.

The update also enabled attackers to install a backdoor on a target’s system allowing persistent access. The malicious payload agent.exe was executed in this phase to implant a dynamic-link library (DLL) containing the malware. The payload also dropped an older but legitimate version of Microsoft’s Antimalware Service executable to execute the malware, proven to be particularly vulnerable to the upcoming DLL side-loading attacks. After the malware was activated, it triggered the Sodinikobi ransomware, which encrypted files on the target devices and connected drives. Additionally, the malware changed the firewall settings to make the infected computer visible to other devices on the same network. It also forced the computer to restart in safe mode and left a ransom note with instructions for the victims.

REvil demanded differing amounts as ransom from small businesses and medium corporations to decrypt their compromised systems. For example, the Swedish grocery store chain Coop was extorted millions of dollars for decryption. The Russian crime group also offered a $70 million in Bitcoin for a ‘master decipher’ that could unlock all systems affected by this attack. Due to the massive range of malware deployment, REvil made no observable effort to exfiltrate data from the compromised servers. However, the crime group claimed that they had stolen sensitive data from the victims and threatened to publish this information on dark web sites to pressure its victims into paying the ransom faster.

On July 13, security experts found that all REvil ransomware websites disappeared on the internet, leaving some victims and security companies unable to negotiate with REvil about potential data recovery. However, this move suggests that either the US or Russian government was involved. ¹¹ Three weeks after the cyberattack, Kaseya announced they had obtained a universal decryption tool from a trusted third party without paying the ransom. In March 2022, shortly after one of the hackers was extradited, it was revealed that the FBI provided the master decryption tool. The FBI had infiltrated REvil’s server already before the attack occurred and possessed the decryption tool but chose not to release it instantly to avoid alerting REvil and to facilitate their ongoing investigation. ¹²

SolarWinds attack

On 8 December 2020, the renowned cybersecurity company FireEye reported detecting a sophisticated intrusion against its SolarWinds platform, which was likely to be used to target other entities around the world. ¹³ After investigation, FireEye found that the initial breach happened through a malware injected into the SolarWinds Orion software updates, which upon installation could give attackers access to customers' networks. ¹⁴

SolarWinds Orion is an IT performance management and monitoring system used by both private enterprises and governmental agencies around the world. ¹⁵ Due to its accessibility to customer system performance logs and data, Orion had become a tempting target for hackers. The software provider, SolarWinds, had publicly displayed its comprehensive coverage of large enterprise-class networks and high-profile organisations before the attack. The customer list suggests that SolarWinds’ products are used by ‘more than 425 of the US Fortune 500, all ten of the top ten US telecommunications companies, all five branches of the US Military, the US Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States, all five of the top five US accounting firms [and] hundreds of universities and colleges worldwide’. Although SolarWinds quickly hid the names from the public after the attack was revealed, the initial list might have provided the hackers with sufficient information to identify their targets. ¹⁶

Upon detecting the attack, FireEye immediately informed SolarWinds of the vulnerabilities. The news quickly stirred the White House and caught public attention. A substantial number of governmental agencies were included among the estimated 18000 victims that had downloaded the malicious Orion update. In response, the Cybersecurity and Infrastructure Security Agency (CISA) intervened and mandated federal agencies to disable their SolarWinds Orion connections. ¹⁷ Shortly afterwards, CISA collaborated with the FBI to assess the specific government impact of this cyberattack. On December 15, the Wall Street Journal reported that the US Commerce and Treasury Departments, the Department of Homeland Security, the National Institutes of Health, and the State Department were all affected by the attack. ¹⁸ The severity of the attack intensified when it was revealed that the Energy Department (DOE) and the National Nuclear Security Administration (NNSA), responsible for maintaining the US nuclear weapons stockpile, were among the victims. ¹⁹

SolarWinds acted to limit the damage. On December 13, they issued a security advisory to inform their customers about the hack and provide instructions on protecting their systems. SolarWinds released the first software fix four days later and began technical investigations with industry experts. Towards the end of December, SolarWinds informed that it had released updates containing security enhancements to disable the exploitation of the Orion platform in the attack. ²⁰

While the initial access point is still unclear, technical investigators believe the attackers exploited vulnerabilities in SolarWinds’ authentication and email servers. Investigations pushed the attack timeline back to 2019, revealing signs of attackers’ penetration in the SolarWinds system in early September of that year. They likely used social engineering to gain prolonged access to employee information. Once inside, the adversaries familiarised themselves with the company’s code structure and language, developed profiles of fake developers, and infiltrated the source code management system, seamlessly integrating into the software development and build processes. The attacker did not rush to inject backdoors and move on to the next phase of the attack. Instead, they patiently waited and began injecting harmless code modifications as patches to see if they could be detected. To ensure successful access to the supply chain, the attacker compromised the build system and checked whether their signed packages would appear on the client side as expected. Once confirmed that this would be the case, the attacker started planning the delivery of the attack payload. ²¹

After establishing persistent control of the internal product development system, the attacker inserted the malware SUNSPOT to replace one source code file and include the SUNBURST backdoor. The malware SUNSPOT was designed to monitor and gather information about the SolarWinds Orion build process, including the running processes. ²² The attackers used a Microsoft Visual Studio process to replace the original code with malicious code before the actual compilation and hid the backdoor in a dynamic-link library (DLL) file named SolarWinds.Orion.Core.BusinessLayer.dll. As this DLL file was digitally signed by the Orion software framework and was part of the standard Windows Installer Patch file, the malicious update file passed through the malware detection without causing alerts. ²³

SolarWinds released the malicious update packages in March 2020. ²⁴ As the customers downloaded the update packages, the malware was successfully delivered to the customers’ servers. Over 18000 organisations downloaded the update with malicious payloads, leading to a successful spread of the malware (i.e., known compromises of systems) across at least nine known federal agencies and over 100 private sector organisations. ²⁵ To avoid immediate detection, the SUNBURST first experienced a dormant period of up to two weeks and blended with typical system behaviour. The malicious payload then set out to gather information on the operational security environment and establish a command-and-control (C2) channel to communicate with the attackers. The attacker adopted sophisticated obfuscation techniques to generate customised subdomains for unique traffic on various servers while storing the reconnaissance results within legitimate plugin configuration files, mimicking legitimate SolarWinds activity. The SUNBURST backdoor also used multiple blocklists to avoid being detected. The established channel ultimately enabled the attackers to, for instance, retrieve and execute commands as well as transfer and execute files. The attackers exfiltrated the victims’ data over a web service without directly connecting to the victims’ system or bypassing any firewalls to maintain persistent communication. ²⁶

Later examination also revealed that the hackers removed the malware from the SolarWinds build environment to cover their traces once the intrusions were accomplished and the communication between the hackers and the compromised servers was established. All in all, the attackers were able to access significant data from SolarWinds’ major clients, including US government agencies, without being detected from May to early December 2020. SolarWinds’ CEO Sudhakar Ramakrishna referred to this attack as ‘one of the most complex and sophisticated cyberattacks in history’ and likely to be carried out by a well-trained and equipped nation-state hacking team targeting American cyberinfrastructure. This statement corresponded to the widespread assumption that this attack was part of a significant cyber espionage campaign originating from Russia. ²⁷ Though the Russian foreign ministry denied the allegation, traces of evidence and clues all point to a state-sponsored Russian spy group. Microsoft President Brad Smith pointed out on the Congressional hearing that, according to their technical experts, this hack is likely to be carried out by ‘at least 1000 very skilled, very capable engineers’. ²⁸ The Russian cybersecurity company Kaspersky also confirmed that the SolarWinds hackers showed great similarities with the Russian cyberespionage group Turla. ²⁹

Discussion tasks and questions

1- How is a supply chain attack different from other typical cyberattacks?

Supplemental Material