Supply Chain Compromise

From attackics
Jump to navigation Jump to search
Supply Chain Compromise
ID T862
Tactic Initial Access
Data Sources Web proxy, File monitoring, Detonation chamber, Digital signatures


Adversaries may perform supply chain compromise to gain control systems environment access by means of infected products, software, and workflows. Supply chain compromise is the manipulation of products, such as devices or software, or their delivery mechanisms before receipt by the end consumer. Adversary compromise of these products and mechanisms is done for the goal of data or system compromise, once infected products are introduced to the target environment.

Supply chain compromise can occur at all stages of the supply chain, from manipulation of development tools and environments to manipulation of developed products and tools distribution mechanisms. This may involve the compromise and replacement of legitimate software and patches, such as on third party or vendor websites. Targeting of supply chain compromise can be done in attempts to infiltrate the environments of a specific audience. In control systems environments with assets in both the IT and OT networks, it is possible a supply chain compromise affecting the IT environment could enable further access to the OT environment.

F-Secure Labs analyzed the approach the adversary used to compromise victim systems with Havex.1 The adversary planted trojanized software installers available on legitimate ICS/SCADA vendor websites. After being downloaded, this software infected the host computer with a Remote Access Trojan (RAT).

Procedure Examples

  • Dragonfly 2.0 trojanized legitimate software to deliver malware disguised as standard windows applications.2
  • XENOTIME targeted several ICS vendors and manufacturers.3
  • The Backdoor.Oldrea RAT is distributed through trojanized installers planted on compromised vendor sites.4