The widespread campaign of software supply chain attacks that has become known as the “SolarWinds attack” began in 2020, and unofficially elevated software supply chain security to the top echelon of cyber risks to both government and the private sector. Subsequent events, like the emergence of the Log4Shell vulnerability in the Log4j2 open source library, underscored that software supply chain risk is for real.
But if you are thinking that supply chain threats and attacks as a new problem plaguing software publishers and their customers, you are wrong. In fact: software supply chain attacks have been with us for years - decades even - though they haven’t always demanded the kind of attention and response they now receive.
A Partial History of Software Supply Chain Attacks
Below is a list of known software supply chain attacks, compiled from public records and reporting. This list is - of course - incomplete. First: it is likely that there have been supply chain attacks in which the details have not been made public. Second, these attacks are happening all the time, making any accounting of software supply chain attacks incomplete. Finally, opinions on what constitutes a software supply chain attack can differ from expert to expert.
[ Get key takeaways from a survey of 300+ security professionals on software security. Plus: Download the report: Flying Blind: Firms Struggle to Detect Software Supply Chain Attacks ]
Did we miss something? Let us know
If you notice that we have omitted a supply chain attack from our partial history, please let us know and, if possible, send corroborating evidence (links to public records, press coverage, social media posts, etc.) that we can use to verify your claim. We would be happy to update our list as new information becomes available.
A Chronology of Software Supply Chain Attacks
Below is a list of known (documented, reported) attacks involving compromises of software supply chains.
An alleged CIA operation to pass compromised ICS software to Russian intelligence results in a massive explosion in Siberia.
2013 South Korea
South Korean government and news websites
The attackers used the auto-update mechanism of a file-sharing and storage application known as SimDisk, which is widely used in South Korea. Another attack in conjunction with this took advantage of Songsari, which has been classified as a DDoS attack. (Read more)
Altair Technologies (a cybersecurity software & services company)
Altair Technologies acknowledged that it was the victim of backdoor malware inserted into one of its products in 2015. If users at the company had downloaded/updated the software within a certain timeframe, their computer would become infected with malware. The attack is known as “Kingslayer.” (Read more)
2017 United Kingdom
Hackers used stolen credentials to infiltrate the network of the software firm Piriform, which makes the CCleaner performance optimization software and install malware platform called ShadowPad. The adversaries were eventually able to compromise development and distribution systems at Piriform and contaminate millions of CCleaner downloads with malicious software that was used to launch targeted attacks against a small number of targets. (Read more)
A compromise of the software update infrastructure of Kiev-based ME Doc, a maker of financial software for businesses, resulted in the NotPetya wiper malware being delivered to more than 12,000 systems in Ukraine and 80 victim organizations in 64 countries. The incident was one of the costliest cyber attacks ever, causing an estimated $10 billion in damages. (Read more)
VestaCP is a control panel interface that system admins use to manage servers. Attackers compromised VestaCP servers and used the access to make malicious changes to an installer that was ready for download. (Read more)
PDF Editor App
An unusual multi-tier software supply chain attack where unknown attackers compromised the shared infrastructure in place between the vendor of a PDF editor application and one of its software vendor partners, making the app’s legitimate installer the unsuspecting carrier of a malicious payload. (Read more)
A third party WordPress accessibility plugin called ‘Browsealoud’ had their servers compromised. This compromise resulted in over 4,000 websites serving up cryptomining malware. The sites that use Browsealoud included the UK Information Commissioner’s office, UK National Health Service websites, an Australian provincial government website and many more. (Read more)
A malicious package was put in the official repository for the Python programming language. When downloaded on a Windows server, the attacker is notified when the user makes a crypto payment, and that payment can get rerouted to the attacker. (Read more)
2018 United States
Copay (now known as BitPay)
2019 United States
Attackers inserted a malicious package into the build chain for Agama via the npm package manager with the intent of stealing the wallet seeds and other login passphrases used within the Agama application. (Read more)
ASUSTeK (Shadow Hammer)
A trojanized ASUS Live Updater file (setup.exe) which contained a digital signature of ASUSTeK Computer Inc was used to target a list of 600 targets (identified by unique MAC addresses) globally. Downloaded files that appeared to be benign actually had malware features. The digital signature (ASUSTeK Computer Inc) was intact, meaning that the digital signature itself was compromised. (Read more)
2020 United States
U.S. Government program for low-income Americans
The Unimax (UMX) U686CL was given to Americans with low-incomes as part of a government program, but the phones had pre-installed apps that were malicious. One of the apps was a variant of the Adups malware, which is made by a Chinese company known for gathering user data. Assurance Wireless sold the phones to the US Government. (Read more)
The attackers, a group known as Octopus Scanner, made GitHub repositories actively serve malware, which was designed to insert a malicious backdoor into NetBeans projects, and all affected projects. By using the backdoor, attackers were able to see the details of affected NetBeans projects.
Able Desktop is a chat software that is very popular in Mongolia, and it is used by many government agencies in the country. Two different trojanized installers and a compromised system update were used for the attack. Malware that was deployed into the software included HyperBro, Korplug and Tmanager. (Read more)
Tax software from China-based Aisino was used as a backdoor to gain access to the networks of foreign firms doing business with a Chinese bank. The malware used, dubbed “GoldenSpy,” targeted specific western-based companies who use the Aisino software. Essentially, the bank compelled clients to install tax software containing a hidden backdoor, which would cause them to have malware downloaded. Aisino knew about the GoldenSpy malware but it’s unclear if it was responsible for it. (Read more)
2020 South Korea
South Korean users of a trusted download verification tool were targeted, prompting a browser plugin to install malware with stolen authentic digital certificates. They entered through the compromised website, impacting computer utility, in order to target financial and government websites. (Read more)
2020 United States
Attackers believed to be working for the government of Russia compromised the software build system for SolarWinds Orion Network Management System software and distributed malicious code in the form of a SolarWinds Orion software update to around 18,000 customers. (Read more)
Vietnam VCGA (SignSight)
Attackers compromised the Vietnam Government Certification Authority (VCGA) website, impacting the overall infrastructure of the software. Attackers added a backdoor component to the installers for legitimate software, making it hard to detect. Because the digital signature toolkit was affected, it allowed government and commercial entities to be targeted, since private and public entities alike rely on the toolkit to sign digital documents.
2020 United States
Attackers exploited a misconfigured Amazon S3 bucket used to serve Twilio’s TaskRouter JS SDK, inserting a malicious version that was served to customers for around 8 hours. The malicious SDK was used to inject code that made the user’s browser load an extraneous URL that has been associated with the Magecart group of attacks, the company said. (Read more)
2021 United Kingdom
A Mimecast-issued certificate used to authenticate some of the company’s products to Microsoft 365 Exchange Web Services was compromised by a threat actor. This allowed a threat actor to take over a connection and steal customers' information found in the Microsoft 365 Exchange Web Servers. (Read more)
Stock investment platform
The North Korean APT group known as Thallium produced a Windows executable using Nullsoft Scriptable Install System (NSIS) that contained malicious code in addition to the legitimate files from a legitimate stock investment application program. Within the legitimate installer of the stock investment platform, attackers injected specific commands that fetched a malicious XSL script from a rogue FTP server, and executed it on Windows systems via the in-built wmic.exe utility. (Read more)
2021 Hong Kong
ESET researchers discovered a compromise of the update mechanism of NoxPlayer, an Android emulator for PCs and Macs produced by the Hong Kong based firm BigNox. According to ESET, three different malware families were observed being distributed via tailored updates to targeted victims. Espionage rather than financial gain appeared to be the motive. (Read more)
A researcher (Alex Birsan) managed to breach over 35 major companies' internal systems, including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber, in a novel dependency confusion supply chain attack.” The researcher uploaded malicious npm modules with names identical to known, non-public modules to public, open source repositories. Configuration errors in npm then caused the malicious public modules to be downloaded to the various companies' software applications. (Read more)
The certificate authority MonPass was compromised with backdoors and webshells placed on a public server hosted by the company. As part of the attack, Cobalt Strike binaries were bundled with the company’s official software client. (Read more)
2021 United States
Xcode is a free application development environment created by Apple that allows developers to create apps for any iOS device. XcodeSpy is the malicious project targeting these iOS developers by installing a backdoor on the developer’s computer. (Read more)
Click Studios (Passwordstate)
Passwordstate is a password manager that was hit with an attack that aimed to steal the password information of all its users. The company has close to 30K customers in the U.S. and Australia. The attackers compromised the website’s software update feature to deliver a malicious update to any customer that updated the system within a specific timeframe. (Read more)
2021 United States
Attackers compromised Bash Uploader, a software development tool and used it to gain restricted access to hundreds of networks belonging to the San Francisco firm's customers. (Read more)
Ledger (Nano X Wallet)
Attackers tampered with the software of the wallet prior to the user accessing it. This breach could allow malicious actors to take control of computer systems connected to one of these wallets. Attackers reflashed the product with malicious firmware that can comprise the user’s host computer. (Read more)
Myanmar Presidential Website
A threat actor injected malware inside a localized Myanmar font package available for download on the website’s front page.
2021 United States
SYNNEX, a technology distributor, had its systems and Microsoft accounts attacked, which caused the Republican National Committee (one of its clients) to have a security incident. APT29 (also known as Cozy Bear) are the suspected attackers. (Read more)
SushiSwap’s MISO cryptocurrency platform
“SushiSwap's MISO cryptocurrency platform suffered a $3 million theft resulting from a software supply-chain attack. Just one malicious code commit made to Sushi’s private GitHub repository was enough to alter the company’s auction portal, and replace the authentic wallet address with the attacker's.” (Read more)
npm 'coa' and 'rc' packages
The incident involved an npm account takeover causing the ‘coa’ and ‘rc’ packages to become hijacked in an effort to spread malware. These packages have been used by tech giants like Microsoft and Meta. (Read more)
Several well-known OSS projects
March 2022 South Korea
The Lapsus$ hacking group leveraged Samsung insiders to obtain VPN and virtual desktop credentials, then published approximately 200 GB of internal source code online. The leaked code contained 6,600 keys, some 90% of which were for Samsung's internal services and infrastructure.
March 2022 Global
NPM node.ipc module
Brandon Nozaki Miller, the developer of node.ipc, pushed an update of his popular open source library that sabotaged computers in Russia and Belarus in retaliation for Russia’s invasion of Ukraine. The new release included an obfuscated function that checked the IP address of developers who used the node.ipc module in their projects. IP addresses that geolocated to either Russia or Belarus saw node.ipc wipe files from their machines and replaced them with a heart emoji.
July 2022 Global
August 2022 Global
NPM (React and QT)
August 2022 Global
A PyPI package, secretslib, claimed to perform secrets matching and verification, but covertly ran cryptominers in memory on the Linux machines on which it was installed.
October 2022 Global
PyPi (various packages)
Researchers at Phylum discovered more than a dozen PyPi packages that were modified to install the W4SP information stealer onto Python developers’ machines via a malicious __import__ .
November 2022 Global
Various (news websites)
Threat actor TA569 compromised the codebase of an application used to serve video and advertising to national and regional newspaper websites. The supply chain attack was used to spread TA569's custom malware, SocGhoulish, an initial access tool connected with ransomware delivery.
https://unredacted.com/2013/04/26/agent-farewell-and-the-siberian-pipeline-explosion/ https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html https://www.cybereason.com/blog/deja-vu-what-do-notpetya-and-solarwinds-have-in-common https://apnews.com/article/8b02768224de485eb4e7b33ae55b02f2
https://duo.com/decipher/malware-infects-netbeans-projects-in-software-supply-chain-attack https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/ https://www.darkreading.com/attacks-breaches/chinese-software-company-aisino-uninstalls-goldenspy-malware
https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/ https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/ https://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/
https://www.bankinfosecurity.asia/mongolian-certification-authority-monpass-breached-a-16990 https://thehackernews.com/2021/02/russian-hackers-targeted-ukraine.html https://www.bleepingcomputer.com/news/security/new-xcodespy-malware-targets-ios-devs-in-supply-chain-attack/