Supply chains have been in the news a lot this decade. Increased globalisation, outsourcing, just-in-time logistics, and disruptions caused by weather, pandemics, and geopolitics have made us more aware of global interconnectedness. Recently it has been oil and gas supply disruptions in the Middle East. And who can forget the COVID-driven supply chain snafus.
Tech supply chains are interconnected and complex too: modern tech environments use a myriad of software, assembling pieces from different providers to turn components into applications, and applications into systems. Cars are assembled in much the same way, from components made by different suppliers.
This approach has accelerated technological advances, but it has also created supply chains that hackers can use to penetrate your business.
A sophisticated but textbook example
Recently a ubiquitous but small component of tech 'plumbing' that helps applications communicate over the internet was compromised. On 31 March, attackers hijacked the account of a lead developer for Axios, which is open-source software that has an estimated 100 million downloads each week. The hackers published two compromised versions of the software. Any system that downloaded either version during the next three hours installed a remote access trojan silently. It is a sophisticated but textbook example of a supply chain attack: a routine software update from a trusted source moved through the standard channels.
Rather than targeting your business directly, a hacker compromises something you rely on and takes advantage of your implied trust. The vehicle might be a widely used software library or a routine software update.
The Axios attack is the latest in a catalogue of supply chain attacks which includes SolarWinds (a 2020 attack that pushed a malicious update to roughly 18,000 customers, of which around 100 were actively exploited). The CrowdStrike disruption in 2024 that delayed flights, disrupted retail and much more was caused by a bad security update. It was an 'own goal' supply chain disruption rather than a malicious attack.
Supply chain attacks in the age of AI
Recently, Anthropic announced Claude Mythos, its newest AI model. Anthropic claims it is especially good at hunting for software security vulnerabilities. In its early testing it discovered thousands of zero-days in major open-source projects including widely used software. Such is its ability to discover software vulnerabilities, Anthropic has elected to grant preview access to a select few companies (Google, Microsoft, Nvidia et al) so they can fix their vulnerabilities before the hackers get a chance to run at them. Not everyone is convinced that this model's capabilities are as novel as claimed, but it does point the direction in which we're headed. It is certainly excellent marketing (Claude prompt: Prepare me a viral marketing plan. No mistakes.). And not one to be left behind, OpenAI has followed suit.
Marketing aside, AI is disrupting cyber security. It's making it easier to unearth vulnerabilities. It's also making it easier to check that your software code is secure. And cyber-security defences now rely on AI to detect anomalies such as malware.
Protecting yourself from your supply chain
A good cybersecurity program is multi-faceted. It uses a zero-trust architecture, the principle of least privileged access, active defences, and assumes that, at some point, you'll be breached and so your resilience plans are practised.
To protect against supply chain attacks specifically:
- Do you know what is inside the software you build and buy? Every critical application, whether developed in-house or procured, should have a Software Bill of Materials. Without one, you cannot answer the first question when the next Axios lands: which of our systems use this?
- How is new software vetted before it enters your environment? For procured software, this is vendor due diligence. For software your developers pull in as dependencies, this is automated supply chain scanning and a holding period before new releases are adopted.
- When did you last rehearse your cyber security response? Regular rehearsal builds muscles and muscle memory. There's little time and much confusion in a real incident.
The next Axios is already being written, almost certainly with the help of AI. The work is to be ready for it.