Gareth Owenson

Three Times Supply Chain Compromise Was Visible on the Dark Web

If you still consider the attack surface to be something that’s contained within the boundaries of the ‘network fortress’ then your organization is already at a serious defensive security disadvantage. 

Supply chains compromised

According to the 2022 Verizon Data Breach Investigations Report, vulnerable supply chains played a role in 62 percent of system intrusion incidents in the last year, indicating very clearly that – with businesses heavily reliant on multiple and varied providers – every link in the supply chain is a potential target.

Dark web intelligence can inform supply chain compromise prevention by identifying when and how a businesses’ third parties are being targeted. Knowledge about who is interested in an organization’s supply chain, what capabilities they have, what tools they use, what vulnerabilities they are targeting, and what exploits are on offer, can provide critical information to help a company to defend its assets.

The maersk compromise

The 2017 Maersk compromise is a prime example of how dark web intelligence could make all the difference in preventing a supply chain attack.

Maersk was one of the highest-profile victims of the NotPetya ransomware variant, which was distributed through a malicious update via the accounting software M.E.Doc. The Danish shipping company, at the time the largest in the world, has reported the extent of the disruption to its systems caused by the attack, which impacted 4,000 servers, 45,000 PCs, and 2,500 applications. In total, Maersk estimated that the attack had cost it up to $300m through “serious business disruption” and famously the company was only saved from a worse outcome by a stroke of luck – because one of its Active Directory backups was offline in its powered-down office in Lagos.

An examination of dark web activity provides us with valuable insight into this incident. For example, mentions of vulnerabilities in the M.E.Doc accounting software can be identified on the dark web as early as 2013, as can spam templates specifically tailored to Maesk, which suggests the company was already a potential target for cybercriminals. 

There were also conversations on forums among threat actors that were inspired by the original Petya ransomware, with criminals actively seeking ransomware which achieved similar results of overwriting the Master Boot Record of the infected system. It is thought that NotPetya was eventually produced by the Sandworm hacking group, or ‘cyber-military’ Unit 74455 of the Russian military intelligence.

Moreover, analysis of dark web activity suggests that in the aftermath of the 2017 attack Maersk continues to be an active target. For example, in 2020 the firm was named by a threat actor seeking initial access to the computer systems of port terminals and various shipping companies with intent to steal information.

By monitoring the dark web for such activity, and in particular for vulnerabilities in third parties such as the M.E.Doc accounting software, organizations could identify the early warning signs of an attack against them via their supply chain and take preventative action.

Kronos in the crosshairs

Five years after the Maersk compromise, the Ultimate Kronos Group found itself the victim of a ransomware attack against its private cloud platform, which impacted a large number of major enterprises that used the payroll and workforce management company. Among the organizations impacted were Whole Foods, GameStop, Honda, many large US healthcare groups such as Ascension, and the UK supermarket chain Sainsburys. In all, it has been estimated that some eight million people were affected by this attack against one supply chain company. 

Once again, dark web intelligence shines a light on the lead up to the attack, who was involved, and how it was orchestrated. Records on the dark web show that Kronos was on threat actors’ radars as far back as the time of the Maersk compromise. Then in 2020, a full year before the attack itself, an apparent Kronos software exploit that enabled remote privilege escalation was for sale on a dark web market. By the end of 2021, a threat actor was posting adverts for exfiltrated Kronos records for sale. Those adverts tagged another threat actor, one who had been associated with various other breaches, including the January 2021 attack against Astoria. It is evident that if Kronos or its customers had been aware of this chatter that they would have been alerted to the possibility of an attack.

Early warning signs of kaseya attack

The supply chain ransomware attack against Kaseya in July 2021 is one of the most notable. Kaseya’s Virtual Systems Administrator (VSA) software, which is used to manage IT infrastructure, contained a zero-day vulnerability that allowed the attackers to bypass authentication and run arbitrary command execution. In effect, the hackers used Kaseya’s own functionality to deploy ransomware to endpoints. This attack was made worse by the fact that Kaseya is a supplier to managed service providers (MSPs), who each in turn had dozens of customers who were affected. In total, it is estimated that more than 1,000 companies had their endpoints encrypted.

In this case threat actors can be observed discussing this very scenario a full two years before the attack in dark web forums. What’s more, those discussions suggested an old vulnerability already existed in a Kaseya plugin and was already being actively exploited to deploy Gandcrab ransomware downstream to customers. There were even examples of vulnerabilities being offered for sale. Jump to 2020 and there are requests to buy access to IT outsourcing companies, with Kaseya being explicitly named in some. At Searchlight we have identified 21 different Kaseya account credentials that were up for sale in 2020.

Managing supply chain risk

Supply chain companies are increasingly under attack from threat actors because they are force-multipliers. Why expend time and effort attacking one enterprise when you could attack one supply chain company and compromise dozens of enterprises? Organizations are working hard to mitigate this risk but enforcing compliance and best security practices among multiple suppliers is a challenge.

Informing these efforts with dark web intelligence can help by identifying the early warning signs of an imminent attack or a provider that is vulnerable and being targeted. As these examples show, attacks often originate on the dark web, and visibility into the external threat facing a supply chain can enable an organization to take informed action against it before it is too late.

Download our free report Using the Dark Web for Pre-Attack Intelligence to find out more about how the early warning signs of supply chain compromise can be identified on the dark web.