Unless you have been taking a media break for a while, you have probably noticed that supply chain security has become a hot topic lately, with the global supply chain market size growing from $1.76 billion in 2023 to $1.95 billion in 2024 at a compound annual growth rate (CAGR) of 10.8%. Supply chain security is not a new concept by any means, of course, but with the transposition of NIS 2 into national law and the rising tide of supply chain attacks over the past year, it’s been dominating headlines for a good reason.
Now, you might be tempted to say, “Well, unless SMBs play a ‘key role’ in critical sectors or the economy, NIS 2 does not really apply to them, right?” Not so fast. NIS 2’s impact on small and micro businesses goes beyond direct compliance. The directive puts a spotlight on supply chain security, requiring larger companies to ensure their suppliers and service providers meet strict cybersecurity standards. That means SMBs might need to step up their cybersecurity game to keep their partnerships with NIS 2-compliant clients intact.
This growing focus on supply chain security highlights a bigger trend: SMBs, as critical links in broader supply chains, are increasingly targeted by cybercriminals. Why? Their smaller budgets, limited resources, and less sophisticated cybersecurity measures make them low-hanging fruit—easy entry points for attackers trying to exploit the bigger fish in the supply chain.
The consequences of such attacks can be devastating for companies of any size. Beyond the immediate financial hit, SMBs often face long-lasting ripple effects, like reputational damage, loss of trust from partners and clients, and major operational disruptions. For SMBs, recovering from these blows is often harder and more expensive, underscoring why supply chain security is not just an enterprise issue anymore.
Simply put, the big deal is that supply chain attacks weaponise trust. This makes them increasingly vulnerable to supply chain attacks, as smaller businesses not only capitalise on trust but also rely heavily on it to sustain their reputation and business relationships.
The way that supply chain attacks work is by targeting the interconnected web of relationships between businesses and their third-party vendors, suppliers, or software providers. Because supply chain vendors often serve multiple organisations, a single successful compromise can cascade through an entire ecosystem, impacting numerous businesses at once. This “attack once, infect many” strategy makes supply chain attacks highly efficient for cybercriminals.
SMBs face a two-fold risk when it comes to supply chain attacks, namely as vendors in the supply chain or as targets in the domino chain. In the first case, a supply chain attack targeting an SMB can compromise the larger entities they serve. Hence, the trust that the partners place in the targeted organisation becomes the very tool attackers exploit to infiltrate the broader ecosystem. In the second case, SMBs are also direct targets in the supply chain, where the impact of the attack ripples outward by halting their operations and potentially disrupting the operations of their clients.
For SMBs, trust isn’t just a buzzword; it’s an asset they actively leverage to compete and grow. Losing that trust through a supply chain attack—whether as a vendor or a victim in the chain—can be catastrophic. The stakes are especially high because:
All of this makes it harder to think of the supply chain as just a technical issue for SMBs, where losing the trust of a key client can have lasting consequences, including contract terminations and reduced credibility in the market, which might be an irreparable disaster.
We have mentioned some challenges particular to SMBs in passing already, particularly the limited resources to vet or monitor third-party connections. Furthermore, budget constraints and limited in-house expertise often mean SMBs can only implement basic cybersecurity measures, leaving gaps in their defences. For instance, they might not have the resources to adopt advanced threat detection systems or conduct frequent security audits.
A significant challenge for SMBs lies in how these vulnerabilities - limited resources and less robust cybersecurity measures - combine to create a reactive cybersecurity posture rather than a proactive one. This reactive stance leaves SMBs appearing to cybercriminals as low-hanging fruit, making them prime targets in the evolving threat landscape.
The cybersecurity community has already observed an alarming increase in cyberattacks targeting SMBs. This trend underscores how cybercriminals exploit the vulnerabilities inherent in a reactive approach. For attackers, SMBs often represent:
One reason for this uptick is precisely the perceived lack of preparedness among SMBs. Attackers know that a reactive approach means slower detection and mitigation, giving them more time to exploit vulnerabilities and amplify the damage.
On the other hand, looking at some of the most common vectors behind supply chain attacks, regardless of their type, we can see some particular weaknesses of SMBs.
A particular feature in the context of SMBs that makes them particularly vulnerable to supply chain attacks is related to their patterns of dependence on third parties. Of course, as said multiple times, SMBs often lack the resources or expertise to vet or continuously monitor their vendors’ security practices thoroughly. However, this is not the only issue here.
SMBs frequently rely on external vendors for critical services like IT support, software management, or payment processing, creating multiple potential entry points for attackers. However, compared to larger enterprises, SMBs might not enforce rigorous cybersecurity requirements in their contracts with vendors, leaving gaps in accountability for breaches.
In our practice, we have rarely seen SMBs that have the legal resources or negotiating power to demand comprehensive cybersecurity measures from vendors. Without specific clauses outlining security standards, response times, and liability, SMBs leave themselves exposed if a vendor's systems are breached. Inadequate contractual obligations mean SMBs have limited recourse to hold vendors accountable for damages or demand timely responses to security incidents. Attackers can exploit these weak links, turning vendor vulnerabilities into entry points to SMB networks.
Insider threats arise when employees, contractors, or third-party personnel - whether intentionally or accidentally - cause a security breach. This could include leaking sensitive credentials, mishandling data, or being coerced by attackers. So why is this a threat of particular interest to SMBs? Simply put, smaller budgets mean less efficient background checks, minimal training and a lack of monitoring.
Trusting the wrong individual or vendor can lead to significant breaches. Whatever your opinions on background checks may be, they are standard in larger organisations but are commonly skipped in SMBs due to cost or time constraints. A lack of proper vetting can lead to insider threats, such as a contractor who leaks sensitive credentials.
This also holds power in the case of employee onboarding, training and continuous development. SMBs often prioritise operational needs over cybersecurity awareness programs. As a result, employees may lack the knowledge to recognise suspicious activities, handle sensitive data securely, or follow best practices for cybersecurity hygiene. This lack of awareness creates an easy path for attackers to exploit human error, such as an employee unwittingly clicking on a malicious link or sharing sensitive credentials with an impersonator.
Furthermore, SMBs typically have flatter organisational structures, which means it’s easier for attackers to identify and directly contact individuals with access to critical systems. SMBs often lack the segregation of duties and access controls that larger enterprises enforce. Attackers who impersonate trusted partners or use social engineering can manipulate key personnel into authorising fraudulent transactions or granting unauthorised access. A single mistake by a key individual can compromise the organisation’s entire network.
Last but not least, of course, the budget related to comprehensive IT capabilities to monitor for insider and outsider threats alike, including threat detection systems, SPAM filters, firewalls, etc. This makes it difficult to track suspicious behaviours, detect unauthorised access, or identify data exfiltration in real-time. Without proper monitoring, malicious activities by insiders or compromised accounts can go unnoticed for extended periods, amplifying the damage of a breach.
When it comes to supply chain attacks, variety is the spice of mischief. In this chapter, we will try to organise supply chain attacks into categories, from sneaky malware hidden in software updates to compromised hardware with preloaded vulnerabilities. And just to make it more real, we will highlight some infamous cases in our “Hall of Fame” to illustrate the damage these attacks can cause.
The SolarWinds attack is the poster child of modern supply chain breaches. On December 13, 2020, cybersecurity firm FireEye disclosed a supply chain attack involving SolarWinds’ Orion platform, a widely used IT management software. This breach, attributed to a sophisticated advanced persistent threat (APT) group (dubbed UNC2452), infiltrated SolarWinds' software update mechanism, enabling attackers to implant a backdoor called SUNBURST into the software. This attack impacted 18,000 organisations, including U.S. federal agencies, critical infrastructure, and private entities, highlighting the vulnerabilities inherent in software supply chains.
Unlike typical breaches, this attack demonstrated extraordinary stealth and complexity, with attackers randomising their activities to evade detection. The operation spanned months, dating back to March 2020, and introduced a multi-layered malware ecosystem that facilitated lateral movement and long-term access across compromised networks.
Lesson for SMBs: If a trusted vendor is compromised, the ripple effects can reach even the smallest organisations. Vetting third-party software and monitoring for unusual behaviour is critical. Deploy Endpoint Detection and Response (EDR) tools to monitor for anomalies. Regular updates, access controls, and employee training are foundational.
On June 27, 2017, the NotPetya malware was unleashed, originating from a Ukrainian tax software provider, M.E.Doc. The attack started as a localised assault on Ukraine, exploiting geopolitical tensions with Russia. However, the malware quickly spiralled out of control, crippling global businesses, government agencies, and critical infrastructure across numerous countries.
NotPetya, masquerading as ransomware, proved to be a destructive cyberweapon designed for data obliteration rather than financial gain. It caused an estimated $10 billion in damages worldwide, with prominent victims including Maersk, Merck, FedEx, and Mondelez. This case exemplifies how supply chain attacks can devastate not only intended targets but also globally interconnected businesses, highlighting critical lessons for SMBs. NotPetya combined two potent hacking tools:
Together, these tools create a virulent, self-propagating worm. NotPetya encrypted files and rendered systems inoperable without a decryption key—confirming its destructive intent.
Lesson for SMBs: Even localised breaches can have global consequences. SMBs relying on regional software providers or international suppliers need to ensure those vendors have strong cybersecurity measures. Segment critical infrastructure and sensitive systems to prevent lateral movement during an attack. Maintain offline backups stored in secure locations and regularly test backup restoration processes.
In 2017, CCleaner, a popular computer optimisation tool, became the focal point of a supply chain attack that exposed millions of users worldwide to a malware backdoor. This breach exploited trust in the software supply chain, targeting Piriform, the developer of CCleaner, which Avast, a cybersecurity company, had recently acquired.
Hackers infiltrated Piriform’s network using stolen credentials to log into a TeamViewer remote desktop account on a developer's PC. Using malware called ShadowPad, the attackers compromised Piriform’s development systems. A backdoored version of CCleaner was released, infecting over 2.27 million downloads. Of these, only 40 systems, primarily in the technology and IT sectors, received a second-stage payload.
Lesson for SMBs: Free or low-cost tools are often attractive for SMBs with limited budgets, but they can come with risks. Regularly verify software integrity and use tools from vendors with strong security reputations. Adopt DevSecOps practices, including code-signing verification and regular security assessments of development environments. Deploy tools that monitor and flag suspicious network traffic, such as communication with unknown or malicious domains. Last but not least, requires vendors to undergo regular penetration testing and provide evidence of cybersecurity compliance.
In 2019, ASUS, one of the world’s largest computer manufacturers, suffered a supply chain attack dubbed "ShadowHammer". The attackers exploited the company’s Live Update Utility, a legitimate tool used to deliver updates for firmware, drivers, and ASUS utilities. This backdoored version of the software, distributed via ASUS's official update servers, was signed with legitimate ASUS certificates, making it indistinguishable from genuine updates. The attack is estimated to have affected over 1 million users globally, though its ultimate targets were approximately 600 specific systems identified by their MAC addresses. Kaspersky Lab identified the attack in January 2019 using new tools designed to detect anomalies in software updates. While over a million users downloaded the malicious update, only systems with hardcoded MAC addresses received a second-stage payload. The precise intent of the payload remains unknown due to the takedown of the attacker-controlled server before analysis.
Lesson for SMBs: Hardware vendors are not immune. Always enable advanced monitoring and endpoint protection, even for devices from trusted brands. Consider implementing a policy to test critical updates in isolated environments (e.g., sandboxed or virtual machines) before deploying them across production systems.
On July 2, 2021, the REvil ransomware group launched a significant attack against Kaseya VSA, a remote monitoring and management tool. The attack exploited a vulnerability to distribute ransomware, affecting over 1,000 companies globally through managed service providers (MSPs). Swedish supermarket chain Coop had to close 800 stores for nearly a week, while REvil demanded a $70 million ransom. The incident revealed critical vulnerabilities in software supply chains and demonstrated the devastating impact of ransomware on interconnected businesses.
Lesson for SMBs: Vendors serving SMBs are high-value targets for attackers. Always ask vendors for detailed security policies and keep your systems resilient. Develop and test an incident response plan, including strategies for ransomware scenarios, to minimise operational disruption. Maintain regular, encrypted backups of critical data. Test recovery processes periodically to ensure they are effective in a real-world scenario.
In September 2024, thousands of pagers and walkie-talkies, used primarily by Hezbollah in Lebanon and Syria, exploded in a coordinated attack allegedly carried out by Israeli intelligence. Dubbed "Operation Grim Beeper," this operation caused significant casualties and injuries, targeting Hezbollah's communication infrastructure. The devices had been embedded with undetectable explosives by a shell company allegedly linked to Israeli operatives. Despite debates over legality and international law, the event marked a technological and tactical escalation in modern asymmetric warfare.
The operation highlighted how compromised supply chains could be weaponised, with Israeli operatives embedding explosives in devices during manufacturing. Furthermore, hospitals and other institutions overwhelmed by the blasts highlighted the importance of disaster readiness.
Lesson for SMBs: The events of September 2024 underscore the critical importance of supply chain vigilance, robust cybersecurity, and multi-layered risk management strategies for SMBs. While this operation involved geopolitical actors, the vulnerabilities it exposed are highly relevant to businesses operating in an interconnected and increasingly digitised world. SMBs should invest in crisis management plans, ensuring rapid response to incidents involving physical or cyber threats to their operations. Rigorously vetting suppliers is another key takeaway, especially when sourcing from unknown intermediaries or high-risk regions. Implement traceability protocols and audit suppliers regularly.
The Supermicro incident, reported by Bloomberg in 2018, brought hardware supply chain vulnerabilities into the global spotlight. Though the allegations remain unproven, the case serves as a cautionary tale for SMBs reliant on complex global supply chains. Bloomberg alleged that Chinese operatives had infiltrated Supermicro’s supply chain, embedding tiny malicious components onto motherboards. These hardware modifications, it was claimed, provided a stealthy backdoor for attackers to access sensitive systems. Major companies, including Amazon and Apple, reportedly used the motherboards.
While no independent evidence has ever corroborated Bloomberg's claims, the report highlighted a theoretically plausible attack vector. Trammell Hudson’s later proof-of-concept demonstrated how minor hardware modifications, such as a single resistor swap, could compromise a system. Even if the Supermicro claims remain unverified, the incident underscores how malicious actors could target hardware supply chains. SMBs, which often lack the resources to conduct in-depth hardware validation, may unknowingly deploy compromised devices.
Lesson for SMBs: Hardware components can be tampered with before they reach your hands. Work with trusted suppliers and consider diversification to avoid single points of failure. Supermicro suffered a decline in revenue and reputational damage, showcasing the cascading financial effects of unverified allegations. SMBs serving as suppliers should recognise the importance of robust security practices to maintain trust with partners. Unlike software vulnerabilities, hardware-based compromises are challenging to detect. SMBs often lack the technical expertise to identify such threats, making them more reliant on vendors’ assurances.
Attackers exploited a zero-day SQL Injection vulnerability in the MOVEit file transfer tool to steal sensitive data from multiple organisations. The attackers, identified as the Cl0p ransomware gang, leveraged the vulnerability to deploy a custom web shell (LemurLoot) that exfiltrated sensitive data from targeted organisations. Despite swift patching efforts by Progress Software, the flaw's public-facing nature made it a lucrative attack vector, impacting over 2,500 organisations and nearly 100 million individuals globally.
Lesson for SMBs: Regularly update software and monitor for vulnerabilities in widely used tools. If your vendor issues a patch or advisory, act promptly. The widespread impact of MOVEit’s compromise demonstrates that no organisation is immune to breaches. SMBs must implement robust incident response plans that include steps for addressing third-party vulnerabilities, isolating affected systems, and notifying stakeholders promptly. For SMBs operating as part of larger supply chains, this breach underscores the importance of securing not only internal systems but also those of upstream and downstream partners. Enhanced collaboration with partners on cybersecurity measures is vital.
Supply chain attacks underscore one central truth - trust is both the strength and the Achilles’ heel of supply chains. SMBs, often seen as “easier” targets, need to prioritise due diligence, proactive monitoring, and robust cybersecurity measures to protect themselves and their partners.
We included this hall of fame with some high-profile cases to serve as inspiration for you to fortify your defences and stay ahead of the curve in 2025. Here are some key takeaways from our Hall of Fame cases:
The key is adopting a proactive, layered security strategy that combines advanced tools, consistent employee education, and ongoing monitoring. Furthermore, collaboration with vendors, clients, and industry groups on cybersecurity practices can enhance resilience across the supply chain.
Ultimately, the examples in this article underscore the devastating impact of supply chain breaches on organisations of all sizes. For SMBs, prioritising security is not just about protecting their assets; it is about safeguarding the trust that underpins their partnerships and ensures their survival in an increasingly digital, interconnected world. The path forward demands vigilance, investment, and a commitment to continuous improvement in cybersecurity practices.
