Companies are securing their own systems better and better. Attackers therefore turn to a quieter route: they compromise software vendors or service providers and let valid signatures and legitimate access carry them from there to their actual targets. A supply chain attack thus abuses the most valuable asset in any business relationship: trust.
What is a supply chain attack?
A supply chain attack targets a company through its suppliers. Instead of attacking the well-protected target organization directly, the attacker compromises a weaker link in the supply chain and uses the existing trust relationship as an entry point: automatic updates, signed code, remote maintenance access, or data connections.
Two variants can be distinguished. The software supply chain comprises everything that applications are built from: open source libraries, development tools, build systems, and update mechanisms. If malicious code is injected here, it spreads to all customers through regular releases. The service provider supply chain concerns companies with access to systems or data: IT service providers, maintenance firms, cloud providers, or suppliers with a network connection. Here, legitimate access becomes the attack path.
Transparency begins with the inventory: an SBOM (Software Bill of Materials) lists, like a parts list, which components a piece of software consists of. If a vulnerability becomes known in a library, SBOMs make it quick to determine which products and systems are affected. Such parts lists are increasingly being required by regulators too, for example in the European Cyber Resilience Act for manufacturers of connected products. For procurement and operations, the SBOM thus becomes a normal part of tenders and contract annexes.
How such an attack works
Most cases follow a recurring pattern:
- Breach at the supplier: The attacker compromises a software vendor or service provider, often through stolen credentials or vulnerabilities in its infrastructure.
- Manipulation of the product: Malicious code is injected into build systems, update servers, or code packages. If it carries the vendor's valid signature, it appears trustworthy to verification mechanisms.
- Distribution through legitimate channels: Customers install the manipulated update or package in the course of normal operations. Traditional protective measures rarely trigger, because the source and signature are correct.
- Selective activation: The built-in backdoor reports back to the attacker. The attacker selects the worthwhile targets from among the affected organizations and begins spreading and exfiltrating data there.
- Route via service provider access: Alternatively, the attacker abuses remote maintenance access or standing network connections of a compromised service provider and is thereby directly inside the customer network.
The patience of these attacks is striking: months can pass between the breach at the supplier and activation at the final target. A one-time security assessment of the supplier is therefore rarely sufficient. What matters is the ongoing view of what its software and access actually do within your own network and with whom they communicate.
Why protection against supply chain attacks matters
- A single compromised supplier can hit many organizations at once, with the attacker choosing the victims afterwards.
- The malicious code comes from a trusted source and therefore passes controls that are designed for external attacks.
- Modern applications consist largely of third-party components whose origin and maintenance status are rarely fully known.
- Remote maintenance and service provider access often lead deep into internal networks and are monitored less often than external access.
- The NIS-2 directive explicitly obliges affected companies to assess and address risks in the supply chain, details are explained in our glossary article on NIS-2 .
- Contractual pressure is growing too, because customers increasingly pass security requirements on to their suppliers.
Typical scenarios
- A manipulated update of a widely used IT management software installs a backdoor at all customers, and it is exploited at selected targets.
- A popular open source package changes maintainer, and shortly afterwards a new version contains code that exfiltrates credentials.
- Attackers take over the remote maintenance software of an IT service provider and then encrypt the systems of its customers.
- Through the network connection of a logistics partner, attackers gain access to a manufacturer's production network.
- A compromised build pipeline signs malicious code with the vendor's official certificate.
Supply chain attack vs. direct attack
In a direct attack, the attacker looks for vulnerabilities in the target's infrastructure, such as exposed services or unpatched systems. Perimeter protection, patching, and your own hardening help against this. The supply chain attack bypasses this defense, because it arrives through a channel that the target trusts both technically and organizationally. For defenders, this means: prevention at the outer boundary is not enough. It requires transparency about dependencies and minimal privileges for third parties, plus an architecture that limits the damage when trusted software or partners are compromised.
Protection against supply chain attacks at KAEMI
The compromise of a supplier from the outside cannot be prevented entirely. This makes an architecture that limits the blast radius all the more important. With Zero Trust Microsegmentation , KAEMI isolates systems and service provider access in such a way that a backdoor in a single piece of software does not open a path through the entire network: every connection requires explicit authorization, and maintenance access remains limited to the bare minimum. In addition, SASE/SSE ensures that external partners reach defined applications rather than entire network segments. This keeps a supply chain incident a limited event instead of a total outage.