Cyberattacks highlight risks to physical and digital supply chains
A string of recent cyberattacks and data leaks, including those targeting a supplier for Toyota Motors, major chipmaker NVIDIA, and international electronics giant Samsung, are putting renewed focus on cybersecurity vulnerabilities in the physical and digital supply chains relied on around the world.
News of the incidents hit as tensions in cyberspace remain heightened amid the Russian invasion of Ukraine and global supply chains remain strained by the ongoing Covid-19 pandemic.
Toyota Motors suspended operations of 28 lines across 14 plants in Japan for a day last week after a cyberattack on supplier Kojima Industries, which also affected the production of Hino Motors Ltd. and Daihatsu Motor Co, as reported by Bloomberg.
In late February, NVIDIA, one of America’s largest makers of microchips and graphics cards also suffered a cyberattack that took parts of its facilities offline for two days, The Telegraph reported.
“On February 23, 2022, NVIDIA became aware of a cybersecurity incident which impacted IT resources,” a NVIDIA spokesperson said in an emailed statement to The Record. “Shortly after discovering the incident, we further hardened our network, engaged cybersecurity incident response experts, and notified law enforcement.”
Parts of the information now publicly available due to the attack includes drivers for NVIDIA’s graphics cards and two of NVIDIA’s code-signing certificates used to verify software as genuine, Bleeping Computer reported. Although the apparent leaked certificates are expired, security researchers quickly found evidence that cyberattackers were attempting to use them to bypass computer security by making malware appear to be legitimate NVIDIA programs.
The LAPSUS$ ransomware gang reportedly claimed responsibility for the attack on NVIDIA and demanded that NVIDIA remove mining hashrate limiters from its RTX-3000-series graphics card. Hashrate limiters reduce the crypto-mining performance of computers. Due to the pandemic and other socioeconomic factors, demand for microchips and graphics cards have far exceeded supply. To mitigate the shortage, NVIDIA introduced hashrate limiters on some graphic cards to serve their gaming population.
According to the NVIDIA spokesperson, there is no evidence of ransomware in NVIDIA’s environment or that the attack is related to the Russia-Ukraine conflict.
“However, we are aware that the threat actor took employee credentials and some NVIDIA proprietary information from our systems and has begun leaking it online,” the spokesperson said, adding that their team was working to analyze what was released and does not expect it to disrupt their ability to conduct business.
Samsung this week also confirmed a cybersecurity breach in a statement to Bloomberg after reports of LAPSUS$’s claims of leaked roughly 190GB of data.
In statements to Bloomberg the company did not confirm the perpetrators of the attack or the presence of ransomware, but confirmed that the stolen data contained source codes for Samsung Galaxy devices and data on it’s chip supplier Qualcomm, although no employee data was stolen. Samsung did not immediately reply to The Record’s request for comment.
Samsung says the attack poses no threat to its phones or their users, but some experts have expressed concerns that threat actors could study the codes to reveal vulnerabilities which can then be exploited on a large scale — much as threat actors appeared to attempt with the NVIDIA certificates.
These are forms of supply chain cyberattacks — attacks that target weak links in software systems and use them to access bigger, more secure, and more established companies or targets.
Targeting digital supply chains
The risk and physical world impact of such attacks has only increased as the world has become more connected and automated than ever before.
In 2018, an automated ASUS system update was infected with a trojan and used to infect an estimated 500,000 computers. Analysis released by Symantec the next year shows the event affected at least 13,000 systems, out of which 20% were corporate entities.
In 2019, suspected Russian state-sponsored hackers known as Nobelium compromised Solarwinds Orion — a Texas-based company that makes software relied on by thousands of private and public organizations, including the U.S. Justice Department, NASA, and Microsoft. According to analysts, the software compromise likely happened around September 2019 and was not discovered until December 2020, giving the attackers over a year of unfettered backdoor access during which they were able to slip malicious updates into software downloaded by the vendor’s customers.
Last year, the European Union Cybersecurity Agency (ENISA) reported that supply chain cyberattacks could increase fourfold before the year ends, posing one of the largest cybersecurity threats to the global economy.
Vulnerabilities in a popular open-source piece of code known as Log4j disclosed in December 2021 allowed hackers to target systems running the software with malicious code and take control of vulnerable devices, leaving many organizations exposed rushing to update systems with a fix.
Barium, a Chinese cyberespionage group notoriously known for supply chain attacks utilized this flaw in its attack of Animal Health Emergency Reporting Diagnostic System (USAHERDS), a digital tool used by state governments in the U.S. to track animal diseases in the country’s livestock population, according to a recent Wired report. The group then used its access to USAHERDS to breach the network of at least six state governments.
In 2021 physical supply chains were also disrupted as major companies including meat producer JBS USA and the Colonial Pipeline were targets of ransomware whose effects were felt across the global economy. JBS USA paid $11 million worth in ransom while Colonial Pipeline paid $4.4 million.
Toyota, like many other companies, has also dealt with physical supply chain issues due to the pandemic—including shortages that required the halting of five factories this January.
In an emailed response to questions from The Record, Hashimoto Shiori, a Toyota spokesperson said the company could not reveal specific steps being taken to address the event, but that the company has a guideline on information security” that it shares with approximately 1,300 suppliers.
“We have issued another reminder to all suppliers after this incident,” Shiori said, adding that the company will continue efforts to strengthen security measures. The attack also came after Japan pledged its support to Ukraine and imposed sanctions on Russia concerning the still ongoing invasion by Russia, raising suspicions of whether the attack was carried out by state-sponsored Russian hackers.
“We’ve heard that it is under study at Kojima Industries,” said Shiori, adding that there is no other information concerning the claim yet.
At the time of publication, Kojima Industry’s website appeared to remain down and the company could not be reached for comments.