Abstract
Supply chain attacks constitute one of the most sophisticated and highest-impact threats in the contemporary cybersecurity landscape. By compromising a trusted vendor, threat actors gain simultaneous access to hundreds or thousands of client organisations, bypassing traditional perimeter security controls. This article analyses the taxonomy of these attacks, examines recent emblematic cases, and argues that continuous visibility — through external and internal attack surface management combined with systematic vendor assessment — constitutes the first effective line of defence against this class of threat.
Introduction
The ENISA report on supply chain threats identified a 400 percent increase in this type of attack between 2020 and 2021, a trend that has persisted in subsequent years (ENISA, 2021). The strategic rationale is evident: rather than directly attacking a well-defended target organisation, the threat actor compromises a software vendor or managed service provider that already possesses privileged access to its clients’ networks. The software update distribution mechanism — designed to be automatic and trusted — thus transforms into an attack vector of extraordinary efficacy.
The SolarWinds Orion case, discovered in December 2020, exemplifies this dynamic: the insertion of malicious code into a legitimate update of the network monitoring platform enabled access to more than 18,000 organisations, including government agencies and Fortune 500 companies (Mandiant, 2024). Subsequently, the MOVEit Transfer attack in 2023 and the Kaseya VSA compromise in 2021 confirmed that this attack vector is not an isolated phenomenon but a structural trend.
In the European context, the DORA Regulation (Digital Operational Resilience Act) acknowledged this reality by imposing specific third-party risk management obligations on financial sector entities (European Parliament, 2022), signalling that supply chain oversight has transitioned from a best practice to a regulatory requirement.
Taxonomy of Supply Chain Attacks
The literature distinguishes four principal categories of supply chain attacks, each with distinct vectors and propagation mechanisms.
Software supply chain attacks involve the compromise of the source code, build process, or distribution mechanism of a software vendor. The SolarWinds case constitutes the paradigmatic example: malicious code was inserted during the compilation process, resulting in a digitally signed update distributed through the vendor’s official channels (Mandiant, 2024).
Managed service attacks exploit the privileged access that IT service providers maintain to their clients’ infrastructures. The Kaseya VSA compromise — a remote management platform used by managed service providers (MSPs) — enabled the distribution of ransomware to hundreds of organisations through a single point of compromise.
Open-source dependency attacks represent a growing concern, given that the majority of modern applications incorporate hundreds of third-party libraries. The Verizon DBIR 2024 documents a significant increase in the exploitation of vulnerabilities in open-source components as an initial entry vector (Verizon, 2024).
Finally, hardware supply chain attacks involve the modification of physical components during the manufacturing or distribution process, though their documented occurrence is significantly less frequent.
Figure 1: Supply chain attack flow — from vendor compromise to data exfiltration
Continuous Visibility as a Detection Mechanism
Defence against supply chain attacks demands an approach that transcends point-in-time vendor assessments and questionnaire-based compliance. Continuous Attack Surface Management (ASM), combined with internal monitoring and systematic third-party risk assessment, constitutes the visibility model required for early detection (NIST, 2022).
External visibility through ASM enables identification of anomalous changes in vendors’ exposed infrastructure — new subdomains, altered TLS certificates, unexpected services, or open ports that may indicate compromise. In the SolarWinds case, the command-and-control infrastructure utilised subdomains that mimicked the vendor’s legitimate naming conventions — a pattern detectable through continuous monitoring.
Internal monitoring complements external visibility by identifying anomalous behaviours in network communications associated with third-party software: traffic to unexpected destinations, periodic beaconing characteristic of C2, or data transfer volumes incompatible with the application’s normal behaviour.
Continuous vendor assessment through risk scoring based on objective indicators — known exposures, observable security configurations, incident history, certifications — enables maintenance of an up-to-date view of the risk associated with each dependency relationship, rather than relying on static annual assessments.
Figure 2: Convergent defence layers providing a unified view of supply chain risk
Practical Implications and Regulatory Framework
The DORA Regulation, applicable since January 2025, establishes concrete obligations for financial entities regarding third-party ICT service provider risk management. Article 28 requires the conduct of pre-contractual risk assessments, the inclusion of specific security clauses in contracts, and continuous risk monitoring throughout the contractual relationship (European Parliament, 2022).
For organisations outside the direct scope of DORA, the practices recommended by NIST SP 800-161 Rev. 1 provide a comprehensive framework for cybersecurity supply chain risk management, including the integration of security criteria into procurement processes, software integrity verification for third-party deliverables, and the maintenance of up-to-date dependency inventories (NIST, 2022).
The practical implementation of these obligations requires technological capabilities that combine automated asset discovery, vulnerability correlation, vendor risk scoring, and real-time alerting — capabilities that, when integrated into a unified platform, enable significant reduction in the time between vendor compromise and detection by the client organisation.
Conclusion
Supply chain attacks represent a qualitative evolution in the threat landscape, exploiting precisely the trust mechanisms that underpin digital commercial relationships. Effective defence against this class of attack does not reside in traditional perimeter controls — which are, by definition, bypassed by the legitimate nature of the entry vector — but in continuous, multidimensional visibility over the organisational attack surface and the security posture of vendors. The convergence of external ASM, internal monitoring, and continuous third-party assessment constitutes the operational model necessary to transform the supply chain from a systemic vulnerability into a managed dimension of organisational risk.
References
ENISA. (2021). Threat Landscape for Supply Chain Attacks. European Union Agency for Cybersecurity.
European Parliament. (2022). Regulation (EU) 2022/2554 (DORA). Official Journal of the European Union.
Mandiant. (2024). M-Trends 2024 Special Report. Google Cloud.
NIST. (2022). Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (SP 800-161 Rev. 1). National Institute of Standards and Technology.
Verizon. (2024). 2024 Data Breach Investigations Report. Verizon Enterprise Solutions.
