The widespread campaign of software supply chain attacks that has become known as the “SolarWinds attack” began in 2020, and unofficially elevated software supply chain security to the top echelon of cyber risks to both government and the private sector. Subsequent events, like the emergence of the Log4Shell vulnerability in the Log4j2 open source library, underscored that software supply chain risk is for real.
But if you are thinking that supply chain threats and attacks as a new problem plaguing software publishers and their customers, you are wrong. In fact: software supply chain attacks have been with us for years - decades even - though they haven’t always demanded the kind of attention and response they now receive.
A Partial History of Software Supply Chain Attacks
Below is a list of known software supply chain attacks, compiled from public records and reporting. This list is - of course - incomplete. First: it is likely that there have been supply chain attacks in which the details have not been made public. Second, these attacks are happening all the time, making any accounting of software supply chain attacks incomplete. Finally, opinions on what constitutes a software supply chain attack can differ from expert to expert.
[ Get key takeaways from a survey of 300+ security professionals on software security. Plus: Download the report: Flying Blind: Firms Struggle to Detect Software Supply Chain Attacks ]
Did we miss something? Let us know
If you notice that we have omitted a supply chain attack from our partial history, please let us know and, if possible, send corroborating evidence (links to public records, press coverage, social media posts, etc.) that we can use to verify your claim. We would be happy to update our list as new information becomes available.
A Chronology of Software Supply Chain Attacks
Below is a list of known (documented, reported) attacks involving compromises of software supply chains.
1982
Russia*
Trans-Siberian Pipeline
An alleged CIA operation to pass compromised ICS software to Russian intelligence results in a massive explosion in Siberia.
(Read more)
2013
South Korea
South Korean government and news websites
The attackers used the auto-update mechanism of a file-sharing and storage application known as SimDisk, which is widely used in South Korea. Another attack in conjunction with this took advantage of Songsari, which has been classified as a DDoS attack. (Read more)
2017
Canada
Altair Technologies (a cybersecurity software & services company)
Altair Technologies acknowledged that it was the victim of backdoor malware inserted into one of its products in 2015. If users at the company had downloaded/updated the software within a certain timeframe, their computer would become infected with malware. The attack is known as “Kingslayer.” (Read more)
2017
United Kingdom
CCleaner
Hackers used stolen credentials to infiltrate the network of the software firm Piriform, which makes the CCleaner performance optimization software and install malware platform called ShadowPad. The adversaries were eventually able to compromise development and distribution systems at Piriform and contaminate millions of CCleaner downloads with malicious software that was used to launch targeted attacks against a small number of targets. (Read more)
2017
Ukraine
ME Doc
A compromise of the software update infrastructure of Kiev-based ME Doc, a maker of financial software for businesses, resulted in the NotPetya wiper malware being delivered to more than 12,000 systems in Ukraine and 80 victim organizations in 64 countries. The incident was one of the costliest cyber attacks ever, causing an estimated $10 billion in damages. (Read more)
2018 Global
VestaCP
VestaCP is a control panel interface that system admins use to manage servers. Attackers compromised VestaCP servers and used the access to make malicious changes to an installer that was ready for download. (Read more)
2018 Global
PDF Editor App
An unusual multi-tier software supply chain attack where unknown attackers compromised the shared infrastructure in place between the vendor of a PDF editor application and one of its software vendor partners, making the app’s legitimate installer the unsuspecting carrier of a malicious payload. (Read more)
2018 Global
Browsealoud
A third party WordPress accessibility plugin called ‘Browsealoud’ had their servers compromised. This compromise resulted in over 4,000 websites serving up cryptomining malware. The sites that use Browsealoud included the UK Information Commissioner’s office, UK National Health Service websites, an Australian provincial government website and many more. (Read more)
2018 Global
Cryptocurrency users
A malicious package was put in the official repository for the Python programming language. When downloaded on a Windows server, the attacker is notified when the user makes a crypto payment, and that payment can get rerouted to the attacker. (Read more)
2018
United States
Copay (now known as BitPay)
Attackers injected malicious code into the Node.js Javascript software package. It impacted Copay, a cryptocurrency wallet developed using Javascript. CoPay relies on 3rd-party open-source libraries. The injection of malicious code in Copay’s software resulted in the theft of cryptocurrency from Copay wallets. (Read more)
2019
United States
Agma cryptocurrency
Attackers inserted a malicious package into the build chain for Agama via the npm package manager with the intent of stealing the wallet seeds and other login passphrases used within the Agama application. (Read more)
2019
Taiwan
ASUSTeK (Shadow Hammer)
A trojanized ASUS Live Updater file (setup.exe) which contained a digital signature of ASUSTeK Computer Inc was used to target a list of 600 targets (identified by unique MAC addresses) globally. Downloaded files that appeared to be benign actually had malware features. The digital signature (ASUSTeK Computer Inc) was intact, meaning that the digital signature itself was compromised. (Read more)
2020
United States
U.S. Government program for low-income Americans
The Unimax (UMX) U686CL was given to Americans with low-incomes as part of a government program, but the phones had pre-installed apps that were malicious. One of the apps was a variant of the Adups malware, which is made by a Chinese company known for gathering user data. Assurance Wireless sold the phones to the US Government. (Read more)
2020 Global
NetBeans Projects
The attackers, a group known as Octopus Scanner, made GitHub repositories actively serve malware, which was designed to insert a malicious backdoor into NetBeans projects, and all affected projects. By using the backdoor, attackers were able to see the details of affected NetBeans projects.
(Read more)
2020
Mongolia
Able Desktop
Able Desktop is a chat software that is very popular in Mongolia, and it is used by many government agencies in the country. Two different trojanized installers and a compromised system update were used for the attack. Malware that was deployed into the software included HyperBro, Korplug and Tmanager. (Read more)
2020 Global
Aisino
Tax software from China-based Aisino was used as a backdoor to gain access to the networks of foreign firms doing business with a Chinese bank. The malware used, dubbed “GoldenSpy,” targeted specific western-based companies who use the Aisino software. Essentially, the bank compelled clients to install tax software containing a hidden backdoor, which would cause them to have malware downloaded. Aisino knew about the GoldenSpy malware but it’s unclear if it was responsible for it. (Read more)
2020
South Korea
WIZVERA VeraPort
South Korean users of a trusted download verification tool were targeted, prompting a browser plugin to install malware with stolen authentic digital certificates. They entered through the compromised website, impacting computer utility, in order to target financial and government websites. (Read more)
2020
United States
SolarWinds
Attackers believed to be working for the government of Russia compromised the software build system for SolarWinds Orion Network Management System software and distributed malicious code in the form of a SolarWinds Orion software update to around 18,000 customers. (Read more)
2020
Vietnam
Vietnam VCGA (SignSight)
Attackers compromised the Vietnam Government Certification Authority (VCGA) website, impacting the overall infrastructure of the software. Attackers added a backdoor component to the installers for legitimate software, making it hard to detect. Because the digital signature toolkit was affected, it allowed government and commercial entities to be targeted, since private and public entities alike rely on the toolkit to sign digital documents.
(Read more)
2020
United States
Twilio
Attackers exploited a misconfigured Amazon S3 bucket used to serve Twilio’s TaskRouter JS SDK, inserting a malicious version that was served to customers for around 8 hours. The malicious SDK was used to inject code that made the user’s browser load an extraneous URL that has been associated with the Magecart group of attacks, the company said. (Read more)
2021
United Kingdom
Mimecast
A Mimecast-issued certificate used to authenticate some of the company’s products to Microsoft 365 Exchange Web Services was compromised by a threat actor. This allowed a threat actor to take over a connection and steal customers' information found in the Microsoft 365 Exchange Web Servers. (Read more)
2021 Global
Stock investment platform
The North Korean APT group known as Thallium produced a Windows executable using Nullsoft Scriptable Install System (NSIS) that contained malicious code in addition to the legitimate files from a legitimate stock investment application program. Within the legitimate installer of the stock investment platform, attackers injected specific commands that fetched a malicious XSL script from a rogue FTP server, and executed it on Windows systems via the in-built wmic.exe utility. (Read more)
2021
Hong Kong
BigNox
ESET researchers discovered a compromise of the update mechanism of NoxPlayer, an Android emulator for PCs and Macs produced by the Hong Kong based firm BigNox. According to ESET, three different malware families were observed being distributed via tailored updates to targeted victims. Espionage rather than financial gain appeared to be the motive. (Read more)
2021 Global
Various
A researcher (Alex Birsan) managed to breach over 35 major companies' internal systems, including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber, in a novel dependency confusion supply chain attack.” The researcher uploaded malicious npm modules with names identical to known, non-public modules to public, open source repositories. Configuration errors in npm then caused the malicious public modules to be downloaded to the various companies' software applications. (Read more)
2021
Mongolia
MonPass
The certificate authority MonPass was compromised with backdoors and webshells placed on a public server hosted by the company. As part of the attack, Cobalt Strike binaries were bundled with the company’s official software client. (Read more)
2021
United States
Xcode
Xcode is a free application development environment created by Apple that allows developers to create apps for any iOS device. XcodeSpy is the malicious project targeting these iOS developers by installing a backdoor on the developer’s computer. (Read more)
2021
Australia
Click Studios (Passwordstate)
Passwordstate is a password manager that was hit with an attack that aimed to steal the password information of all its users. The company has close to 30K customers in the U.S. and Australia. The attackers compromised the website’s software update feature to deliver a malicious update to any customer that updated the system within a specific timeframe. (Read more)
2021
United States
CodeCov
Attackers compromised Bash Uploader, a software development tool and used it to gain restricted access to hundreds of networks belonging to the San Francisco firm's customers. (Read more)
2021 Global
Ledger (Nano X Wallet)
Attackers tampered with the software of the wallet prior to the user accessing it. This breach could allow malicious actors to take control of computer systems connected to one of these wallets. Attackers reflashed the product with malicious firmware that can comprise the user’s host computer. (Read more)
2021
Myanmar
Myanmar Presidential Website
A threat actor injected malware inside a localized Myanmar font package available for download on the website’s front page.
(Read more)
2021
United States
SYNNEX
SYNNEX, a technology distributor, had its systems and Microsoft accounts attacked, which caused the Republican National Committee (one of its clients) to have a security incident. APT29 (also known as Cozy Bear) are the suspected attackers. (Read more)
2021 Global
SushiSwap’s MISO cryptocurrency platform
“SushiSwap's MISO cryptocurrency platform suffered a $3 million theft resulting from a software supply-chain attack. Just one malicious code commit made to Sushi’s private GitHub repository was enough to alter the company’s auction portal, and replace the authentic wallet address with the attacker's.” (Read more)
2021 Global
npm 'coa' and 'rc' packages
The incident involved an npm account takeover causing the ‘coa’ and ‘rc’ packages to become hijacked in an effort to spread malware. These packages have been used by tech giants like Microsoft and Meta. (Read more)
2022 Global
Several well-known OSS projects
In an act of protest against corporations exploiting open source projects, Npm libraries “colors” and “faker” were sabotaged by their maintainer, Marak Squires. Some of the OSS projects impacted include Amazon’s cloud development kit, Facebook’s Jest, Javascript, and Node.js.
(Read more)
March 2022
South Korea
Samsung
The Lapsus$ hacking group leveraged Samsung insiders to obtain VPN and virtual desktop credentials, then published approximately 200 GB of internal source code online. The leaked code contained 6,600 keys, some 90% of which were for Samsung's internal services and infrastructure.
March 2022 Global
NPM node.ipc module
Brandon Nozaki Miller, the developer of node.ipc, pushed an update of his popular open source library that sabotaged computers in Russia and Belarus in retaliation for Russia’s invasion of Ukraine. The new release included an obfuscated function that checked the IP address of developers who used the node.ipc module in their projects. IP addresses that geolocated to either Russia or Belarus saw node.ipc wipe files from their machines and replaced them with a heart emoji.
July 2022 Global
IconBurst
ReversingLabs researchers identified more than two dozen NPM packages, dating back six months, that contained obfuscated Javascript, with jQuery scripts designed to steal form data from deployed applications. In one case, a malicious package had been downloaded more than 17,000 times.
August 2022 Global
NPM (React and QT)
Researchers at Sonatype identified 186 malicious npm packages that impersonated the heavily used QT and React JavaScript libraries. The packages used typosquatting attacks and were published from a pseudonymous npm account to infect Linux hosts with crypto-mining malware.
August 2022 Global
PyPi (secretslib)
A PyPI package, secretslib, claimed to perform secrets matching and verification, but covertly ran cryptominers in memory on the Linux machines on which it was installed.
October 2022 Global
PyPi (various packages)
Researchers at Phylum discovered more than a dozen PyPi packages that were modified to install the W4SP information stealer onto Python developers’ machines via a malicious __import__ .
November 2022 Global
Various (news websites)
Threat actor TA569 compromised the codebase of an application used to serve video and advertising to national and regional newspaper websites. The supply chain attack was used to spread TA569's custom malware, SocGhoulish, an initial access tool connected with ransomware delivery.
Sources:
https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf
https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
https://www.washingtonpost.com/graphics/2020/world/national-security/cia-crypto-encryption-machines-espionage/
https://unredacted.com/2013/04/26/agent-farewell-and-the-siberian-pipeline-explosion/ https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html https://www.cybereason.com/blog/deja-vu-what-do-notpetya-and-solarwinds-have-in-common https://apnews.com/article/8b02768224de485eb4e7b33ae55b02f2
https://apnews.com/article/ap-top-news-theft-indictments-china-hacking-05aa58325be0a85d44c637bd891e668f
https://securelist.com/operation-applejeus/87553/
https://www.kaspersky.com/blog/copay-supply-chain-attack/24786/
https://blog.npmjs.org/post/185397814280/plot-to-steal-cryptocurrency-foiled-by-the-npm
https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/
https://www.darkreading.com/threat-intelligence/chinese-malware-found-preinstalled-on-us-government-funded-phones
https://duo.com/decipher/malware-infects-netbeans-projects-in-software-supply-chain-attack https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/ https://www.darkreading.com/attacks-breaches/chinese-software-company-aisino-uninstalls-goldenspy-malware
https://securityboulevard.com/2021/10/solarwinds-accellion-breaches-supply-chain-attacks-wreaking-havoc/
https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/ https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/ https://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/
https://www.twilio.com/blog/avoiding-dependency-confusion-attacks https://www.helpnetsecurity.com/2020/07/23/twilio-malicious-sdk/
https://threatpost.com/mimecast-certificate-microsoft-supply-chain-attack/162965/ https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/
https://www.bankinfosecurity.asia/mongolian-certification-authority-monpass-breached-a-16990 https://thehackernews.com/2021/02/russian-hackers-targeted-ukraine.html https://www.bleepingcomputer.com/news/security/new-xcodespy-malware-targets-ios-devs-in-supply-chain-attack/
https://www.cpomagazine.com/cyber-security/aviation-it-giant-sita-breached-in-extensive-supply-chain-attack-frequent-flier-programs-of-major-airlines-compromised/
https://securityboulevard.com/2021/03/verkada-surveillance-hack-breach-highlights-iot-risks/
https://techcrunch.com/2021/08/04/passwordstate-supply-chain-attack/
https://www.reuters.com/technology/codecov-hackers-breached-hundreds-restricted-customer-sites-sources-2021-04-19/
https://www.theregister.com/2021/05/27/fujitsu_projectweb_supply_chain_attack/
https://blog.kraken.com/post/5590/kraken-security-labs-supply-chain-attacks-against-ledger-nano-x/
https://www.cybersecurity-help.cz/blog/2146.html
https://www.zdnet.com/article/updated-kaseya-ransomware-attack-faq-what-we-know-now/
https://www.theregister.com/2021/07/07/synnex_rnc_microsoft_attack/
https://www.sonatype.com/resources/vulnerability-timeline
https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf
https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf
https://www.atlanticcouncil.org/in-depth-research-reports/report/breaking-trust-shades-of-crisis-across-an-insecure-software-supply-chain/
https://blog.sonatype.com/what-constitutes-a-software-supply-chain-attack
https://www.bleepingcomputer.com/news/security/researcher-hacks-over-35-tech-firms-in-novel-supply-chain-attack/
https://www.bleepingcomputer.com/news/security/malicious-rubygems-packages-used-in-cryptocurrency-supply-chain-attack/
https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets
https://blog.sonatype.com/a-new-0-day-log4j-vulnerability-discovered-in-the-wild?hsLang=en-us https://www.bleepingcomputer.com/news/security/fintech-firm-hit-by-log4j-hack-refuses-to-pay-5-million-ransom/
https://blog.sonatype.com/3-million-cryptocurrency-heist-malicious-github-commit?hsLang=en-us
https://arstechnica.com/information-technology/2018/10/two-new-supply-chain-attacks-come-to-light-in-less-than-a-week/
https://www.zdnet.com/article/bankbot-android-malware-sneaks-into-the-google-play-store-for-the-third-time/
https://www.itworldcanada.com/article/canadian-cyber-firm-confirms-it-was-the-victim-described-in-rsa-investigation/390903
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/124/trend-micro-investigates-june-25-cyber-attacks-in-south-korea
https://www.eset.com/int/about/newsroom/press-releases/research/eset-uncovers-operation-nightscout-cyberespionage-supply-chain-attack-on-gamers-in-asia/
https://techcrunch.com/2022/07/27/protestware-code-sabotage/
https://www.wired.com/story/developer-altered-open-source-software-to-wipe-files-in-russia/
All Blog Posts
Software Supply Chain Security
Dev & DevSecOps
Threat Research
Security Operations
Products & Technology
Company & Events
