FBI Alerts Companies of Cyber Attacks Aimed at Supply Chains

Brian Thomas | February 21, 2020 | tag: Vendor Risk Management

Earlier this month, ZDNet broke the news that the FBI had sent a cybersecurity alert to the U.S. private sector warning of an ongoing hacking campaign against supply chain software providers. According to the FBI, hackers are attempting to infect upstream companies — particularly those in the energy sector — with the Kwampirs malware, a remote access trojan (RAT).

“Software supply chain companies are believed to be targeted in order to gain access to the victim's strategic partners and/or customers, including entities supporting Industrial Control Systems (ICS) for global energy generation, transmission, and distribution," said the alert.

The origins of Kwampirs

The Kwampirs malware, first identified by Symantec two years ago, was developed by a previously unknown attack group called “Orangeworm.”

Orangeworm is unique from other headline-making bad actors because it has been known to install the malware as part of larger supply chain attacks in order to get to its intended victims. In the past, these have included systematic attacks against healthcare and medical equipment manufacturers that serve the healthcare industry — a lucrative target for hackers who seek access to personal healthcare data or have other nefarious objectives.

“We believe that these industries have also been targeted as part of a larger supply-chain attack in order for Orangeworm to get access to their intended victims related to healthcare,” warned Symantec.

The growing cyber risk in the vendor ecosystem

As Orangeworm sets its sights on the energy sector, the FBI alert adds credence to a growing cybersecurity concern that many organizations overlook — that third, fourth, and even nth parties are one of the fastest-growing risks to their sensitive data. Bad actors are increasingly realizing that the easiest route into a company’s networks and systems is via its interconnected vendor ecosystem.

Indeed, a 2018 study by the Ponemon Institute found that 61% of U.S. companies have experienced a breach “caused by one of their vendors or third parties” — and that number is growing. More than 75% of organizations believe that third-party cybersecurity incidents are increasing.

A key contributing factor is the growing complexity of the third-party landscape. As companies increase their reliance on partners, sub-contractors, and suppliers (according to Gartner, 60% of organizations are now working with more than 1,000 third-parties), it’s critical that they manage the risk that these vendors can pose to the business.

Responding to the Kwampirs threat

The threat from the Kwampirs malware strain is particularly perplexing since little is known about the Orangeware group and their capabilities. This exemplifies the fact that cybersecurity teams really don’t know where the next attack is coming from — making it harder to defend their organizations. In this case, the threat is notable enough, however, for the FBI to get involved and urge private industries to scan their networks for any signs of Kwampirs and report any infections.  

But given that Orangeware propagates its malware via third parties, organizations should also take steps to monitor and mitigate cyber risk across their supply chain. Companies must continuously monitor and identify new risks, such as the presence of the Kwampirs malware, but also have the ability to collaborate with their vendors to fix infections and other security issues quickly. They must also ensure that any vendor that stores, transmits, or collects critical data aligns their security controls with the organization’s risk tolerance and adheres to regulatory obligations. 

As threats continually evolve — both in their techniques and their targets — organizations can’t afford to wait until the FBI steps in with another alert. By taking steps today to continuously monitor for third-party risk, businesses can greatly improve their ability to reduce cyber risk — wherever it may arise.

5 tips to manage third-party risk


CISOs have a tough job.

How can they gain buy-in to improve security program effectiveness?

Read The Guide

Suggested Posts

BitSight Integrates With ServiceNow to Reduce Risk Throughout Vendor Management Programs

Organizations rely on third-parties to keep competitive in the marketplace. The EY global third-party risk management survey highlights that in 2019–20, over 33% of the 246 global companies surveyed were managing and monitoring...


5 Best Practices for Conducting Cyber Security Assessments

Third parties are essential to helping your business grow and stay competitive. But if you’re not careful, your trusted partnerships can introduce unwanted cyber risk and overhead into your organization.


5 Tips to Improve Cyber Security Monitoring of Your Vendors

What’s the biggest struggle your vendor risk managers face when establishing cyber security monitoring processes? From sudden increases in the use of third-parties by your organization, to not knowing which vendors might be impacted by...


Get the Weekly Cybersecurity Newsletter.