Supply Chain Attack
An attack that targets the network of relationships between an organization and its external partners β suppliers, service providers, hardware manufacturers, or software vendors β rather than attacking the final target directly. Attackers compromise a weaker link in the chain and use trusted relationships to gain access to the ultimate target. Supply chain attacks are effective because: (1) the compromised link has legitimate access to the target, (2) that access looks like normal traffic, and (3) the target organization may have no visibility into the compromise until significant damage is done. The SolarWinds SUNBURST attack and the Target breach are canonical examples.
Service Provider
Any external organization that provides services requiring some form of access to an organization's internal systems, data, or network. Service providers in a supply chain context include: IT support companies, HVAC and facilities management contractors, payroll and accounting processors, cloud service providers, managed system administrators, cleaning and maintenance companies, and external auditors. Each represents a potential supply chain attack vector because they hold legitimate credentials or network access that an attacker can exploit if the provider is compromised.
Third-Party Vendor Risk
The security risk introduced by an organization's reliance on external vendors, contractors, and service providers. Third-party vendor risk exists because: (1) organizations cannot directly enforce security controls on vendors, (2) vendors often have privileged access to internal systems, and (3) vendors themselves may have supply chain dependencies that create additional layers of risk. Management requires vendor security requirements in contracts, periodic audits of vendor security posture, and monitoring of vendor account activity for anomalous behavior.
Counterfeit Hardware
Hardware that is manufactured to resemble genuine products from a known vendor but is produced without authorization and sold fraudulently as authentic. Counterfeit hardware risks in cybersecurity include: inferior components that fail unexpectedly, missing security features present in genuine hardware, hidden vulnerabilities not present in the legitimate product, and potential backdoors for monitoring or controlling the device. Network equipment (switches, routers, firewalls) is a particularly high-value target for counterfeiting because it carries all network traffic and is trusted as infrastructure.
Hardware Supply Chain
The chain of manufacturers, distributors, resellers, and integrators involved in producing and delivering physical hardware components. Hardware supply chain security concerns: counterfeit products entering the chain through fraudulent resellers, tampering with hardware during transit, insertion of malicious components during manufacturing, and lack of visibility into the components' true origin. Mitigation requires purchasing from authorized distributors, physical inspection and authenticity verification, and building security into the procurement process from the start.
Software Supply Chain
The chain of code, libraries, tools, and processes involved in developing and delivering software, including open-source components, third-party libraries, build pipelines, and distribution mechanisms. Software supply chain attacks target any step in this chain to inject malicious code into legitimate software. High-impact attack points include: the source code repository, the build pipeline, the packaging and signing step, and the distribution mechanism (update servers). The SolarWinds SUNBURST attack targeted the build pipeline β inserting malicious code before code signing occurred.
SolarWinds SUNBURST
A major software supply chain attack (discovered December 2020) in which attackers compromised the build pipeline of SolarWinds Orion, a widely used IT monitoring platform. Malicious code (SUNBURST) was inserted into legitimate Orion software updates distributed in March and June 2020. The updates were signed with SolarWinds' legitimate code-signing certificate and distributed normally to approximately 18,000 customers, including major U.S. government agencies (Pentagon, DHS, State Department, Treasury, National Nuclear Security Administration) and technology companies. The compromise remained undetected for nine months. SUNBURST is the definitive example of a software supply chain attack and demonstrates that code signing does not protect against malicious code inserted before the signing step.
Target Corporation Breach (2013)
A service provider supply chain attack in November 2013 where approximately 40 million credit card numbers were stolen from Target customers. The attack vector was Fazio Mechanical Services, an HVAC contractor with VPN access to Target's network. Attackers compromised Fazio via phishing, stole the VPN credentials used by HVAC technicians, used those credentials to access Target's internal network, and β due to insufficient network segmentation β reached point-of-sale systems in approximately 1,800 stores. The HVAC company had no obvious connection to payment card security but held the keys to Target's network. This is the canonical service provider supply chain attack example.
SBOM (Software Bill of Materials)
A machine-readable inventory of all components, libraries, dependencies, and their versions that make up a software application. An SBOM enables organizations to quickly identify which applications include a specific library or component when a new vulnerability is disclosed. Without an SBOM, identifying which applications are affected by a newly disclosed open-source vulnerability may require weeks of manual investigation across dozens of applications. With an SBOM, a simple query returns all affected applications in minutes. SBOM adoption was accelerated by the 2021 U.S. Executive Order on Cybersecurity following the Log4Shell vulnerability (CVE-2021-44228) and the SolarWinds incident.
Island Hopping
An attack technique where an attacker who cannot directly attack a high-value target instead compromises a less-defended supplier or partner of that target, then uses the trusted relationship to pivot into the target organization. Named by analogy to World War II island-hopping campaigns that used smaller island bases to reach larger targets. Island hopping is the fundamental mechanism of supply chain attacks: the attacker "hops" from a weaker supply chain link to the ultimate target. The Target/HVAC case is island hopping: HVAC firm (weak) β Target Corp (strong target), reached via the trusted vendor relationship.