Skip to content


  • Add this article to your LinkedIn page
  • Add this article to your Twitter feed
  • Add this article to your Facebook page
  • Email this article
  • View or print a PDF of this page
  • Share further
  • Add this article to your Pinterest board
  • Add this article to your Google page
  • Share this article on Reddit
  • Share this article on StumbleUpon
  • Bookmark this page

Software supply chain attacks – everything you need to know

PA Consulting’s head of cybersecurity, Elliot Rose, discusses the SolarWinds breach and how organisations must tighten their security to avoid software supply chain attacks.

The article discusses how, in December 2020, with much of the world distracted by a Covid-19 resurgence and the aftermath of the US presidential election, security researchers were busy tracking a new malware campaign – UNC2452 – which had grave implications for cybersecurity in the western world.

Subsequently linked with Russian state-sponsored cybercrime gang APT29 (or Cozy Bear) the attack ‘trojanized’ software updates to Orion, an IT monitoring and management application from SolarWinds.

Withn days, dozens of global businesses and government departments were reporting Sunburst infections, including Microsoft and the US Department of Homeland Security.

The world had just witnessed its largest ever software supply chain attack.

What is a software supply chain attack?

A software supply chain attack happens when hackers manipulate the code in third-party software components in order to compromise the ‘downstream’ applications that use them.

Attackers leverage compromised software to steal data, corrupt targeted systems, or to gain access to other parts of the victim’s network through lateral movement.

Can you prevent or mitigate supply chain attacks?

At the technical level, increasing security awareness among DevOps teams is the first and – many experts argue – most critical step.

Teams need to incorporate security into the entire development process, have a comprehensive map of the dependences used by their applications, be alert to vulnerability disclosures, and have a robust system for patching security bugs.

Organizations should also tighten up their software acquisition strategies. IT departments, which often rely on questionnaires and vendor self-certification to perform due diligence, should also consider audits, source code reviews and penetration testing – more robust, if costlier, alternatives.

More organizations should follow this lead, suggests Elliot: “Many organisations recognize that they need to put in place continuous monitoring and assessment of critical third parties.”

“This is not easy but is increasingly necessary, and there are new tools and approaches available to ease the burden.”

Read the full article in The Daily Swig

Helping to protect and grow your organisation in a digital world

Find out more

Contact the author

Contact the digital trust and cyber security team

Adam Stringer

Adam Stringer

Cate Pye

Cate Pye

Elliot Rose

Elliot Rose

Justin Lowe

Justin Lowe


By using this website, you accept the use of cookies. For more information on how to manage cookies, please read our privacy policy.