ATTu0026CK T1195 / T1554 / T1072 - Supply Chain Compromise

SUPPLY CHAIN COMPROMISE Third-Party Vendor Infiltration & Credential Weaponization

Supply chain attacks target trusted vendors, software providers, and managed services to inject malicious code or steal credentials - using the victim's own trusted relationships as the attack vector into their systems.

NATION-STATE CLASS - WIDEST BLAST RADIUS OF ANY ATTACK TYPE
Victims per Attack
18,000+
SolarWinds SUNBURST compromised 18,000 organizations from a single trojanized update
Attack Detection Time
287 days
Average dwell time before supply chain compromises are discovered - 3ร— longer than direct attacks
Attack Surface
ร—1000
A single compromised vendor can multiply an attacker's reach to all of that vendor's customers instantly
Average Cost
$4.76M
Average cost of a supply chain compromise - 26% higher than the average data breach cost
01

Trust Chain Anatomy

The Compromised Trust Chain - hover each node
Attacker
Nation-state / Criminal org
ORIGIN
Software Vendor / MSP
SolarWinds, Kaseya, Codecov
ENTRY POINT
Build / Update Pipeline
CI/CD, code signing, package registry
WEAPONIZED
Trojanized Update / Package
Signed, trusted, auto-deployed
DELIVERED
Victim Organization
18,000+ downstream customers
COMPROMISED
Credentials & Data Exfiltrated
AD, cloud tokens, source code, PII
MISSION COMPLETE
Notable Supply Chain Attack
CASE STUDY - SUNBURST 2020
SolarWinds Orion Attack
Russian SVR (APT29/Cozy Bear) compromised SolarWinds' build system and injected the SUNBURST backdoor into Orion software updates. Every customer that auto-updated received a signed, legitimate-looking trojan. The malware lay dormant for 12โ€“14 days before activating, evading behavior-based detection.
Victims: 18,000+
Dwell time: 9 months
Inc. US Treasury, DoD, Microsoft
โšก
WHY SUPPLY CHAIN?
Vendors have trusted, often privileged access to customer environments. Compromising one vendor grants silent, authenticated access to thousands of customers simultaneously - bypassing all perimeter defenses.
๐ŸŽฏ
TARGET SELECTION
Attackers seek vendors with: broad customer base, deep system access (endpoint agents, network monitoring, IAM tools), auto-update mechanisms, and trusted code signing certificates.
๐Ÿ”
CREDENTIAL ANGLE
Stolen vendor credentials enable direct API access, SSO abuse, and lateral movement as trusted service accounts - often with elevated permissions that bypass MFA requirements.
02

Attack Flow Diagram

๐Ÿ•ต๏ธ THREAT ACTOR APT / Nation-State COMPROMISE ๐Ÿข VENDOR/MSP Build system access Dev credentials stolen INJECT โš™๏ธ CI/CD PIPELINE Malicious code injected Signed with valid cert UPDATE ๐Ÿ“ฆ TROJANIZED PKG Signed โœ“ Trusted โœ“ Auto-deployed โœ“ BACKDOOR INSIDE MASS DEPLOY ๐Ÿฆ GOV / FINANCE 18,000+ orgs ๐Ÿ”ฌ TECH / DEFENSE Critical infra ๐Ÿฅ HEALTH / ENERGY Supply chain echo ๐Ÿ’€ DATA/CREDS EXFILTRATED โ‘  ACTOR โ‘ก VENDOR โ‘ข PIPELINE โ‘ฃ TROJAN PKG โ‘ค 18K+ VICTIMS โ‘ฅ EXFIL SUPPLY CHAIN COMPROMISE - FULL KILL CHAIN
03

Step-By-Step Walkthrough

Phase 01 - Target Selection & Intelligence

VENDOR RECONNAISSANCE

๐ŸŽฏ
ATTACK OBJECTIVE
IDENTIFY HIGH-VALUE VENDORS

Attackers map the target organization's trusted vendor ecosystem before striking. The ideal vendor has wide deployment, deep system access, automated update mechanisms, and weaker security than the ultimate target.

  • Enumerate vendors via target job postings, LinkedIn tech stack listings, and procurement records
  • OSINT on vendor partnerships: SEC filings, press releases, conference talks
  • Shodan/Censys scan vendor infrastructure for exposed admin panels, VPNs, CI/CD portals
  • Identify software with endpoint agents, network monitoring, or IAM integrations as prime targets
  • Assess vendor's security posture - smaller vendors often have weaker defenses than the target
attacker - vendor mapping
# Map target's vendor ecosystem
$ shodan search "SolarWinds Orion" country:US
Results: 28,491 exposed instances
Orion platform admin panels: 4,832
 
$ grep "solarwinds.com" vendor_emails.txt
Found: 14 developer email addresses
 
# Check exposed build infrastructure
$ nuclei -t jenkins-unauth.yaml -u solarwinds.com
[jenkins-unauth] solarwinds.com:8080 [VULNERABLE]
[+] Jenkins build server - unauthenticated access
[+] Orion build pipeline discovered โœ“
Phase 02 - Initial Vendor Compromise

CREDENTIAL COMPROMISE

๐Ÿ”‘
TARGET
VENDOR DEVELOPER ACCOUNTS

The attacker compromises the vendor's internal credentials - developer accounts, CI/CD service tokens, or code signing keys. This grants the access needed to inject malicious code into the legitimate software build process.

  • Spear phishing targeting vendor developers with IT-themed lures (VPN reset, license renewal)
  • Credential stuffing vendor staff emails against GitHub, Jira, Jenkins, Azure DevOps
  • Stolen developer tokens from public GitHub repos, paste sites, or dark web markets
  • Exploit VPN/RDP vulnerability for direct network access to build infrastructure
  • Compromise a third-party library vendor to poison the vendor's own dependencies (nested attack)
spear phish โ†’ developer account
# Phishing email targeting vendor dev
# Subject: "Urgent: Azure DevOps token expiry"
 
# Victim enters creds on spoofed portal
[C2] Credentials captured:
User: dev@solarwinds.com
Pass: Solarw!nds2023
MFA: OTP relayed in real-time
 
# Login to Azure DevOps as developer
$ az devops login --org solarwinds.visualstudio.com
[+] Authenticated as b.smith
[+] Orion Platform repo: READ/WRITE โœ“
Phase 03 - Build System Infiltration

CI/CD PIPELINE INJECTION

โš™๏ธ
INJECTED INTO
LEGITIMATE BUILD PIPELINE

With developer credentials, the attacker modifies source code or build scripts in the CI/CD pipeline. The malicious modification is carefully crafted to appear benign, evade code review, and survive automated security scanning.

  • Inject backdoor into source code as an obfuscated "update" to an existing utility file
  • Modify build scripts (Makefile, Dockerfile, GitHub Actions workflow) to pull malicious dependency
  • Steganographic obfuscation: encode payload as seemingly legitimate configuration strings
  • Dormancy trigger: code only activates 12โ€“14 days after deployment, evading sandbox analysis
  • SUNBURST technique: payload in SolarWinds.Orion.Core.BusinessLayer.dll as partial class
git commit - malicious injection
# Attacker modifies legitimate source file
$ git checkout -b "fix/telemetry-update-3428"
 
# Injected into OrionImprovementBusinessLayer.cs
partial class OrionImprovementBusinessLayer
{
static void Initialize() {
// SUNBURST backdoor hidden here
if (IsNetworkAvailable()) BeaconC2();
}
 
$ git commit -m "Fix telemetry collection edge case"
$ git push origin fix/telemetry-update-3428
[+] PR auto-approved - merged to main โœ“
Phase 04 - Malicious Package Creation

TROJANIZING THE UPDATE

๐Ÿ“ฆ
OUTPUT
SIGNED, TRUSTED UPDATE PACKAGE

The build pipeline compiles the backdoored source into a signed software update. Because the build process is legitimate and uses the vendor's own code signing certificate, the package appears completely authentic - passing every integrity check.

  • Build system compiles backdoored code into official release binary (DLL, MSI, NPM package)
  • Vendor's HSM-protected code signing certificate signs the malicious binary - it's cryptographically valid
  • Update passes vendor's own QA/testing pipeline (backdoor is dormant during testing window)
  • Package published to vendor's CDN alongside legitimate version history
  • SHA256 hashes published - match the malicious binary, fooling integrity verification tools
build output - trojanized release
# Build pipeline output - looks legitimate
$ Get-AuthenticodeSignature .Orion-Core-2020.2.dll
 
SignerCertificate : Solarwinds Worldwide, LLC
Status : Valid
StatusMessage : Signature verified
SignatureType : Authenticode
 
# Hash published on vendor update server
SHA256: 32519b85c0b422e4656...
File: Orion-Core-2020.2.5030.dll
Note: Backdoor SUNBURST embedded โ†‘
[+] Ready for distribution to 18,000+ customers
Phase 05 - Propagation

MASS DEPLOYMENT

๐ŸŒ
SCALE
18,000+ ORGS AUTO-UPDATED

Victim organizations automatically pull and install the trojanized update through their normal patch management processes. Security teams often explicitly whitelist vendor updates - the very mechanism designed to keep systems safe becomes the attack vector.

  • Customers' auto-update mechanisms pull the signed package from vendor CDN
  • SIEM and AV solutions are often configured to trust digitally signed vendor software
  • Backdoor observes a dormancy period (12โ€“14 days) before activating - passes sandbox testing
  • Activation checks: ensure it's not running in a VM or sandbox (anti-analysis evasion)
  • C2 communication disguised as legitimate Orion telemetry traffic - blends with normal behavior
victim org - auto-update log
# Victim org - automatic update running
[2020-03-26] Orion update check...
[2020-03-26] New version: 2020.2.5030
[2020-03-26] Signature: VALID (SolarWinds)
[2020-03-26] Update installed successfully
 
# Backdoor dormancy period - 14 days
[2020-04-09] SUNBURST: checking environment...
[2020-04-09] No VM/sandbox detected
[2020-04-09] Domain joined: corp.gov โœ“
[2020-04-09] Beacon to C2: avsvmcloud.com
[2020-04-09] C2 connected - awaiting commands
Phase 06 - Post-Exploitation

ESTABLISHING C2

๐Ÿ“ก
STATUS
STEALTHY FOOTHOLD - MONTHS UNDETECTED

With C2 established inside thousands of organizations, attackers selectively activate only high-value targets to avoid detection. Communication mimics legitimate vendor traffic, blending into expected network behavior while the attacker conducts careful reconnaissance.

  • DNS-based C2: SUNBURST used subdomain queries to avsvmcloud[.]com to encode victim data and receive commands
  • Selective activation - only targets of intelligence value receive active commands (avoids noise)
  • TEARDROP/RAINDROP second-stage malware deployed to highest-priority victims via C2
  • Credential harvesting: dump AD, steal SAML tokens, harvest cloud provider credentials
  • Lateral movement via stolen tokens enables access to email, cloud storage, classified systems
SUNBURST C2 - DNS beaconing
# C2 channel via DNS - encoded victim info
$ tcpdump -i eth0 port 53
 
Query: r1qjt7sbptam1fg.appsync-api.us-east-2.avsvmcloud.com
โ†‘ victim domain hash + unique GUID encoded in subdomain
 
Response: 184.72.136.1 โ† C2 IP issued
โ†‘ attacker sends commands via DNS TTL/CNAME values
 
[C2] Target classified as high-priority
[C2] Deploy TEARDROP - memory-only loader
[C2] Begin credential harvest: Active Directory
Phase 07 - Objectives Achieved

EXFILTRATION & PERSISTENCE

๐Ÿ’€
IMPACT
NATION-STATE DATA EXFILTRATION

At high-value targets, attackers extract credentials, source code, classified documents, and internal communications. Forged SAML tokens allow persistent authentication as any user - even after passwords are changed, the attacker remains inside.

  • SAML token forgery - steal ADFS signing certificate to impersonate any user indefinitely
  • Email exfiltration: US Treasury, DoJ, DHS email read for months via Microsoft 365
  • Source code theft: Microsoft, Intel, Cisco internal code repositories exfiltrated
  • Golden SAML attack: forge authentication tokens that remain valid even after password resets
  • Persistence: attacker maintains access even after SUNBURST discovered and patched
golden SAML - persistent access
# Steal ADFS token signing certificate
$ ADFSDump.exe /output:adfs_certs.json
[+] DKM key decrypted from AD
[+] Token signing cert: CORP-ADFS.pfx
 
# Forge SAML assertion as any user
$ ADFSpoof.py --cert CORP-ADFS.pfx
--user Administrator --target o365
[+] SAML token forged - signed with real cert
[+] Auth to Microsoft 365 as Global Admin
[!] Access persists even after Orion removed
[!] Entire M365 tenant COMPROMISED โœ“
STEP 1 OF 7
04

Notable Real-World Cases

2020 - SOFTWARE UPDATE
SolarWinds SUNBURST
Vendor: SolarWinds Orion
Russian SVR injected SUNBURST backdoor into Orion build pipeline. Auto-updates delivered signed malware to 18,000 customers including US Treasury, DoD, and Microsoft.
Victims: 18,000+ ยท Dwell: 9 months ยท Actor: APT29
2021 - MSP PLATFORM
Kaseya VSA
Vendor: Kaseya Remote Monitoring
REvil ransomware exploited zero-day in Kaseya VSA (used by MSPs) to push ransomware to 1,500+ downstream SMBs through their own trusted management agents. $70M ransom demanded.
Victims: 1,500+ SMBs ยท Ransom: $70M ยท Actor: REvil
2021 - CI/CD PIPELINE
Codecov Bash Uploader
Vendor: Codecov Code Coverage
Attackers modified Codecov's bash uploader script to exfiltrate environment variables (CI/CD secrets, API tokens) from thousands of developers' pipelines including Twilio, Hashicorp, and Rapid7.
Exposed: CI/CD secrets ยท Duration: 2 months ยท Victims: 29,000+ orgs
2020 - NPM PACKAGE
event-stream Backdoor
Vendor: npm ecosystem
Malicious contributor gained NPM publish rights to event-stream (2M weekly downloads) and injected code targeting Copay bitcoin wallet users - a nested dependency attack affecting apps indirectly.
Downloads: 2M/week ยท Target: Bitcoin wallets
2022 - 3CX VOIP
3CX Desktop App
Vendor: 3CX Communications
North Korean Lazarus Group trojanized 3CX's desktop app - itself a supply chain victim: 3CX had installed a malicious version of Trading Technologies X_Trader, demonstrating a supply-chain-within-supply-chain attack.
Users: 600,000 companies ยท Chain depth: 2 levels deep
2024 - OPEN SOURCE
XZ Utils Backdoor
Vendor: xz/liblzma library
A sophisticated multi-year social engineering campaign gained commit access to xz-utils, embedding a backdoor targeting SSH authentication via systemd-linked liblzma. Caught just before widespread Linux distro inclusion.
Target: SSH on major Linux distros ยท Prep: 2+ years
05

Defensive Countermeasures

๐Ÿ“‹
Vendor Risk Management Program
Mandatory security assessments for all vendors with system access. Tiered risk classification based on access level. Contractual security requirements including SOC2 Type II, pen test results, and incident notification SLAs.
๐Ÿ”
Software Bill of Materials (SBOM)
Require vendors to provide an SBOM for all software components. Enables rapid impact assessment when a dependency is compromised. NTIA and EO 14028 mandate SBOMs for federal software supply chain security.
๐Ÿ—๏ธ
Secure Build Pipeline Requirements
Require vendors to implement SLSA (Supply-chain Levels for Software Artifacts) framework. Mandate reproducible builds, signed build provenance, two-person code review, and HSM-protected signing keys.
๐Ÿ”ฌ
Update Sandboxing & Staging
Never auto-apply vendor updates directly to production. Stage updates in an isolated test environment with behavioral analysis for a minimum of 14+ days - accounting for dormancy triggers like SUNBURST's 12-day delay.
๐ŸŒ
Network Segmentation & Vendor Isolation
Place vendor software in isolated network segments with restricted outbound connectivity. Orion-style monitoring tools should never have unrestricted internet access. Proxy all vendor traffic through inspection gateways.
๐ŸŽซ
SAML / Token Integrity Monitoring
Monitor for anomalous SAML assertions and impossible-travel token usage. Protect ADFS signing certificates in HSMs. Alert on certificate exports. Implement Conditional Access policies that challenge even valid SAML tokens.
๐Ÿ”
DNS & Network Anomaly Detection
Monitor for DNS-based C2 patterns: high-entropy subdomain queries, unusual CNAME chains, beaconing intervals. SUNBURST was eventually identified partly through anomalous DNS traffic to avsvmcloud.com.
โšก
Zero Trust Architecture
Assume vendor software is compromised. Enforce least-privilege for all vendor agents, require continuous authentication, and microsegment access. A ZTA-compliant environment limits blast radius even when a signed update is malicious.