FBI Alerts Companies of Cyber Attacks Aimed at Supply Chains

Earlier this month, ZDNet broke the news that the FBI had sent a cybersecurity alert to the U.S. private sector warning of an ongoing hacking campaign against supply chain software providers. According to the FBI, hackers are attempting to infect upstream companies — particularly those in the energy sector — with the Kwampirs malware, a remote access trojan (RAT).

“Software supply chain companies are believed to be targeted in order to gain access to the victim's strategic partners and/or customers, including entities supporting Industrial Control Systems (ICS) for global energy generation, transmission, and distribution," said the alert.

The origins of Kwampirs

The Kwampirs malware, first identified by Symantec two years ago, was developed by a previously unknown attack group called “Orangeworm.”

Orangeworm is unique from other headline-making bad actors because it has been known to install the malware as part of larger supply chain attacks in order to get to its intended victims. In the past, these have included systematic attacks against healthcare and medical equipment manufacturers that serve the healthcare industry — a lucrative target for hackers who seek access to personal healthcare data or have other nefarious objectives.

“We believe that these industries have also been targeted as part of a larger supply-chain attack in order for Orangeworm to get access to their intended victims related to healthcare,” warned Symantec.

The growing cyber risk in the vendor ecosystem

As Orangeworm sets its sights on the energy sector, the FBI alert adds credence to a growing cybersecurity concern that many organizations overlook — that third, fourth, and even nth parties are one of the fastest-growing risks to their sensitive data. Bad actors are increasingly realizing that the easiest route into a company’s networks and systems is via its interconnected vendor ecosystem.

Indeed, a 2018 study by the Ponemon Institute found that 61% of U.S. companies have experienced a breach “caused by one of their vendors or third parties” — and that number is growing. More than 75% of organizations believe that third-party cybersecurity incidents are increasing.

A key contributing factor is the growing complexity of the third-party landscape. As companies increase their reliance on partners, sub-contractors, and suppliers (according to Gartner, 60% of organizations are now working with more than 1,000 third-parties), it’s critical that they manage the risk that these vendors can pose to the business.

Responding to the Kwampirs threat

The threat from the Kwampirs malware strain is particularly perplexing since little is known about the Orangeware group and their capabilities. This exemplifies the fact that cybersecurity teams really don’t know where the next attack is coming from — making it harder to defend their organizations. In this case, the threat is notable enough, however, for the FBI to get involved and urge private industries to scan their networks for any signs of Kwampirs and report any infections.

But given that Orangeware propagates its malware via third parties, organizations should also take steps to monitor and mitigate cyber risk across their supply chain. Companies must continuously monitor and identify new risks, such as the presence of the Kwampirs malware, but also have the ability to collaborate with their vendors to fix infections and other security issues quickly. They must also ensure that any vendor that stores, transmits, or collects critical data aligns their security controls with the organization’s risk tolerance and adheres to regulatory obligations.

As threats continually evolve — both in their techniques and their targets — organizations can’t afford to wait until the FBI steps in with another alert. By taking steps today to continuously monitor for third-party risk, businesses can greatly improve their ability to reduce cyber risk — wherever it may arise.