The supply chain has become one of the most popular vectors for attackers looking to compromise an enterprise-scale company. Vendors often have access to the company’s sensitive data, or have enough access to their network to provide an opening that allows for privilege escalation. European aerospace company Airbus has found itself on the receiving end of a particularly large coordinated attack on its vendors over the past 12 months. With evidence pointing to a nation-state attacker, this case demonstrates why it is necessary for smaller companies to take supply chain cyber security just as seriously as their larger partners.
The Airbus attacks: Four breach attempts on vendors since late 2018
Given that the company has military contracts throughout the world, including the provision of transport and combat planes to many of Europe’s largest military powers, Airbus is a natural high-value target for nation-state espionage.
It is still unclear exactly who is behind these attacks on Airbus suppliers (as is so often the case with these things), but they have been linked to the Chinese state intelligence services based on the specific technical documents that the hackers targeted.
Agence France-Presse (AFP) reports that four vendors were targeted in separate attacks over the previous year: engine manufacturer Rolls-Royce, technology consultant Expleo, and two other contractors that were not publicly identified.
Airbus has only publicly admitted to one attack that resulted in unauthorized access to data. AFP cited security professionals with direct knowledge of the attacks for the remaining information. Airbus has issued a public statement indicating that supply chain cyber security defenses have been hardened against vendor vulnerabilities.
One of the sources claimed that the compromise of Expleo was discovered early this year, but that the company had been breached long before that. Expleo shared a virtual private network (VPN) with Airbus that the hackers were able to gain access to. Rolls-Royce was compromised by the same hacking group at some point after Expleo was.
Though there is a lack of hard evidence at this point, the cyber security sources believed that Chinese intelligence was involved due to the focus on stealing documents related to the engine and propulsion systems of military transport planes and passenger jets. China has been working on a mid-range airliner and a long-range jet for some time, but has struggled with research and development of engine systems. The methods used and goals closely fit the known patterns of APT10, the group of Chinese hackers that went on a tear of attacking managed service providers for major companies with strategic importance to global governments last year.
Supply chain cyber security lessons from the Airbus attacks
One of the most interesting items in this report was the news that a VPN may have been breached. That’s obviously a very worrying development for any company, but particularly for a defense contractor.
VPNs are supposed to be an enhanced security step implemented specifically to prevent breaches – when one fails it’s a pretty big deal. How could this have happened? The most likely answer is that the encryption key was stolen. It’s also possible that a trusted username/password combination was phished from an employee somewhere outside of the VPN, perhaps from a personal account. Of course, it’s also possible to crack the encryption – something beyond the reach of the average hacker, but perhaps not beyond the reach of the resources of a major nation-state.
What lessons should companies take from these major attacks on Airbus? VPNs are still a powerful privacy and security tool, but not an infallible one. In some cases, breaches may not even be their fault – APT groups have been known to develop exploits for particular VPNs in private, and they are sometimes unknown to the rest of the world until they are deployed successfully in a cyber attack.
Certain companies considered to be “vital operators” by their governments are subject to special cyber security regulations, but these regulations do not necessarily extend to their vendors.
Unfortunately, the process of obtaining contracts in many countries often forces companies to select the lowest reasonable bidder in order to win. Guess what aspect of operations often gets its budget slashed because it is seen as “unnecessary?” Companies often underestimate the importance of supply chain cyber security spending until a breach of critical infrastructure hits and the cleanup bill comes due.
Compliance monitoring of vendors is also a complex issue for an enterprise-scale defense contractor. For example, Airbus has tens of thousands of suppliers located all over the world. Ongoing compliance checks for such a sprawling network of vendors is a virtual impossibility. The solution to this particular problem usually has to come from government regulation of contractors; not only setting supply chain cyber security standards, but in some cases requiring smaller vendors to use only paper records or to do all of their work on the primary contractor’s secure system.
Proper supply chain cyber security is simply a cost of doing business for even smaller vendors. Their larger partners are becoming increasingly likely to have rigorous terms and regular audits laid out in their contracts. Even if they don’t, any vendor that leaves supply chain cyber security unattended due to budget or lack of awareness is gambling. The stakes are their reputation as a trusted partner, fines and potentially even damages from a lawsuit. Smaller vendors must understand that though they themselves may not possess the really juicy information that hackers are after, hackers are scrutinizing them as a vulnerable initial opening to get into the partner network.
Enterprise-scale companies that work with many vendors need to understand what it is that hackers will test the supply chain cyber security for: access and shared sensitive information. Both should be limited to absolute necessities. Enterprise companies must also resist the temptation to downgrade their security to make it easier for multiple vendors to access their systems. The costs of data breaches always need to be calculated and weighed against the costs of simply getting the security right in the first place.