Black Hat USA: Worst Supply Chain Attacks Are Yet to Come

BLACK HAT USA — It’s early days in terms of supply chain cyberattacks, according to the opening keynote speaker at Black Hat USA 2021. Furthermore, the size and scope of what’s to come will make what’s happened so far look like “peanuts.”

Matt Tait, chief operating officer at Corellium, was the opening keynote at Black Hat USA 2021. Due to the pandemic, the event is hybrid with attendees participating both in person and virtually. The in-person event also is much smaller, drawing fewer than 5,000 attendees as opposed to nearly 20,000 in past years.

Tait talked about the state of supply chain risks, what happens when they go wrong, and what steps the industry can take to mitigate some of them.

In supply chain attacks, bad actors target a system upstream instead of what they want, he said. They’re more interested in a company’s customers. That’s why malicious hackers target general purpose software providers like Kaseya.

“Supply chain intrusions are unusually enormous,” Tait said. “SolarWinds was enormous, but was it as enormous as could have been? SolarWinds has 300,000 customers [and]18,000 infected.”

SolarWinds has clarified that actually fewer than 100 of its customers were hacked.

Kaseya was a “huge attack, but weirdly small” when you think about how big Kaseya is, he said. Just .1% of Kaseya’s customers ended up getting this ransomware.

Supply chain intrusions are not like other intrusions, Tait said. They’re different and work in different ways. And they’re “huge” by default and the scale “dwarfs” other attacks.

“So how do we fix it?” he asked. “It’s not going to be fixed by the U.S. government, federal agencies, or a consortium of governments. The only way to tackle this at scale is to fix the underlying technology. Platform vendors need to step in.”

Channel Futures is in attendance at Black Hat this week. Scroll through our slideshow above for more from Tait and other highlights from the event. (Black Hat USA is presented by Informa, the parent company of Channel Futures.)