Definition
A Supply Chain Attack occurs when an adversary infiltrates a system through an outside partner or provider with access to the systems and data. This dramatically alters the risk profile because the attack vector is a trusted channel (e.g., a software update or a third-party library) rather than a direct exploit of the victim's perimeter.
Purpose and Core Idea
The core idea is leverage. By compromising one widely used software vendor, an attacker can gain access to thousands of downstream customers instantly. This bypasses traditional perimeter defenses like firewalls and IDS because the malicious traffic originates from a trusted, whitelisted source.
Mini Case Study: SolarWinds SUNBURST
The SolarWinds compromise is the definitive example of a sophisticated supply chain attack.
- The Vector: Attackers (APT29) compromised the build system of the SolarWinds Orion platform. They injected a backdoor (SUNBURST) into a legitimate DLL file (
SolarWinds.Orion.Core.BusinessLayer.dll). - The Distribution: The malicious update was digitally signed by SolarWinds' legitimate certificate and pushed to 18,000 customers via the standard update mechanism.
- The Stealth: The malware lay dormant for weeks (sleep timer) before communicating with C2 servers, blending in with normal network traffic using OIP (Orion Improvement Program) protocols.
- Lesson: Trusting a digital signature is no longer sufficient. Organizations must monitor the behavior of trusted binaries using EDR and Threat Hunting techniques.
Usage in Real CTI Workflows CTI analysts monitor Software Bill of Materials (SBOM) and vulnerability databases for their vendors. When a vendor is compromised, analysts must assume their own network is breached and initiate hunting procedures immediately.
Relation to Other CTI Frameworks Supply chain attacks utilize the "Trusted Relationship" technique in MITRE ATT&CK. They also challenge the Cyber Kill Chain by bypassing the initial "Delivery" and "Exploitation" phases as traditionally understood.