Over 60 percent of organizations across the globe say they have been impacted by a software supply chain attack in the last year, according to a new survey by software supply chain management platform, Anchore.
Software supply chain attacks are an emerging kind of cyberattack in which hackers target a business’s network via trusted third-party vendors, suppliers or through the supply chain.
The Anchore 2022 Software Supply Chain Security Report released this week is based on survey responses from 428 leaders and executives in IT, security, and DevOps and reveals some of the security challenges facing the software supply chain.
Respondents were surveyed from Dec. 3 to Dec. 22, 2021, across North America, the United Kingdom, and other European countries.
According to the survey, 62 percent of respondents said they were impacted by at least one software supply chain attack during 2021, with 6 percent of respondents stating that the attacks had a “significant impact,” and 25 percent indicating the attack had a “moderate impact.”
Just 38 percent of companies reported that this type of attack did not impact them in 2021.
“The lingering effects of SUNBURST (SolarWinds) remain at the top of the attack list with the largest impact on respondents at 32 percent,” Anchore said.
The FBI launched an investigation into the hack of SolarWinds technology, which is used by all five branches of the U.S. military and numerous government agencies, and caused a breach of government systems while leaving companies exposed in December 2020. Nobelium, the group widely believed to be behind the attack is Nobelium is thought to have links to the Russian intelligence service.
“Last year started with the fallout of the SolarWinds SUNBURST attack and ended with multiple exploits against the Log4j zero-day vulnerability, highlighting the critical importance of securing the software supply chain,” Anchore said. “While this survey was largely conducted prior to the publishing of the Log4j vulnerability, almost two-thirds of respondents reported impacts from attacks in the prior 12 months. As a result, organizations are prioritizing software supply chain security with over half of respondents citing it as a significant or top area of focus.”
Log4j is an open-source logging library used globally across software applications and online services. In December 2021, security researchers found a flaw in the code that leaves internet users and service providers exposed to hackers.
Jen Easterly, director of the U.S. Cybersecurity & Infrastructure Security Agency, called Log4Shell the most serious vulnerability she’s seen in her career and urged businesses to better protect themselves against the vulnerability.
Perhaps the most concerning findings of the survey show that organizations were more likely to report significant or moderate impacts from supply chain attacks after Dec. 10, 2021, meaning such attacks were gaining momentum as we headed into 2022.
However, Anchore notes that this is indicative that Log4j “significantly widened the number of companies that experienced major supply chain attacks in 2021.”
Of all the organizations surveyed, those within the tech sector remain the most affected by supply chain attacks, according to Anchore. A total of 15 percent of tech companies were more significantly impacted by these attacks compared with 3 percent of other industries.
Anchore recommends that organizations implement new supply chain security protocols and tools that address potential attacks, noting that “software supply chain management must become a new practice for every organization that uses or builds software.”