3 Out of 5 Companies Affected by Software Supply Chain Attacks

By Nicholas Dolinger
Nicholas Dolinger
Nicholas Dolinger
Nicholas Dolinger is a business reporter for The Epoch Times and creator of "The Beautiful Toilet" podcast.
February 14, 2022 Updated: February 15, 2022

A new survey has revealed that three out of every five companies were victim to software supply chain attacks in 2021, marking a drastic rise in the prevalence of these attacks and sending cybersecurity into a scramble for solutions.

The survey, which was carried out by the software company Anchore, reported that 62 percent of organizations were impacted by supply chain attacks in the past year.

“In the simplest terms, a software supply chain attack occurs when a cybercriminal manipulates an organization’s software code to deliver malicious ‘payload’ to downstream applications and users,” explains Julie Preiss, chief marketing officer of the software company Appgate, in a statement to The Epoch Times. “They typically target small, less-secure companies that do business with larger companies (hence the term supply chain).”

Preiss continues, “The reasons these attacks are on the rise boil down to a few basic facts: more business is conducted online than ever before, creating a large and enticing attack surface; many organizations have inadequate cyber hygiene, resulting in vulnerabilities and misconfigurations in their software that can be easily exploited; and, a single successful hack can yield enormous potential beyond the original purpose making the pay-off very appealing.”

The Anchore survey, which collected data from Dec. 3 to Dec. 30 of last year, coincided with the discovery of a vulnerability in the ubiquitous Apache Log4 utility on Dec. 9. After the discovery of this vulnerability, reports of supply chain attacks jumped by 10 percent.

The results of the survey are reflective of a broader trend, which has seen a very fast rise in the prevalence of supply chain attacks. A recent analysis by the security firm Sonatype record 12,000 incidents in 2021, constituting a 650 percent increase in the prevalence of supply chain attacks.

“Supply chain attacks are becoming increasingly more common and hard to defend against. We’ve seen this with multiple attacks over the last 12 months and it is becoming a very lucrative way for threat actors to make money or steal information,” says Bryan Hornung, CEO of the New Jersey-based cybersecurity firm Xact IT Solutions, in a statement to The Epoch Times.

Hornung is a proponent of the zero trust security framework, which requires all individuals both inside and outside of an organization to be authenticated and consistently validated for access to applications and data. In so doing, advocates of this strategy believe that they can efficiently eradicate many of the vulnerabilities that have become apparent in the past year.

The analysis of the Anchore survey emphasized another approach to fighting the rise of supply chain attacks: prioritizing better practices of software bill-of-materials (SBOM), referring to the list which catalogues all components in a given piece of software.

“Despite the foundational role of SBOMs in providing visibility into the software supply chain, fewer than a third of organizations are following SBOM best practices,” says the Anchore report. “In fact, only 18 percent of respondents have a complete SBOM for all applications.”

While the degree of supply chain software attacks in 2021 is unprecedented and drastic, the cybersecurity industry has kicked into high gear in response to such reports as those by Anchore and Sonatype. The industry is offering a multiplicity of approaches to combat the problem, and the current year will likely serve as a testing ground for these new strategies, as different companies compete to ensure the security of individuals and networks in an increasingly digital economy.

Nicholas Dolinger is a business reporter for The Epoch Times and creator of "The Beautiful Toilet" podcast.