An emerging cybersecurity threat: supply chain compromise

A new report by Abnormal Security sheds light on a growing trend of hackers impersonating third-party vendors to steal from companies.

Cyberattacks have bedeviled health systems for years, and an emerging trend involves hackers posing as third-party vendors in an attempt to steal from companies.

It’s a phenomenon known as financial supply chain compromise, and it’s gaining in prevalence, according to a new report released Wednesday by Abnormal Security, a cybersecurity firm.

Business email compromise has been a growing problem, but in the past, many of the attacks involved bad actors impersonating company executives and asking a company’s workers to send money. That has become less effective as more workers realize the CEO or some other top executive probably isn’t asking their workers for money.

So attackers are now moving to impersonate vendors, which can be a more difficult problem for organizations to defend against, the report stated.

In January 2022, third-party impersonations surpassed “internal impersonations” (hackers posing as executives or other employees) for the first time, Abnormal Security says.

This shift in strategy makes senses in some ways, according to the company. Organizations, including healthcare systems and hospitals, have many vendors. Walmart, for example, has more than 100,000 suppliers, Abnormal Security notes.

“Nearly every business has at least a few vendors, and large enterprises may have hundreds or even thousands—making virtually any organization a potential target,” the report stated. “Vendor payments can be some of the largest financial transactions made by a business, so when payments are stolen, it can be a heavy burden.”

Abnormal Security said the largest attack involving vendor impersonation involved a fake invoice for $2.1 million.

Some attackers try to get into systems with “aging report theft.” Hackers will impersonate a vendor’s executive and use payment information to target the supplier’s customers and get directors to send payments to a different account.

In some cases, attackers have found ways to gain access to email systems. Hackers will engage in phishing scams to get an employee to enter a password.

Attackers also identify vendors who are active and recognize payment schedules and will communicate with a company, asking for payment. Sometimes, the attackers use what appears to be a legitimate email from the vendor.

Some hackers will also use “email spoofing,” where the attacker uses an email address that appears to come from a familiar sender. But the attacker creates a separate address for the recipient to send a reply, thus directing the email to the hacker’s account, the report said.

Even attackers that don’t have specific knowledge about payment cycles or contractual relationships sometimes take a shot, the report stated. In some cases, attackers simply hope that if they email an organization and ask for a payment, the recipient isn’t careful and simply complies.

“With the rapid increase in business email compromise and this shift to vendor-focused cybercrime, now is the time to secure your environment—before the next financial supply chain compromise attack targets your organization,” the report stated.

Hospitals and healthcare systems have seen scores of attacks in recent months. Last year, hundreds of attacks involved health record systems and analysts predicted this year could be even worse.

More than 100 breaches involving health records were reported in the first quarter of 2022, according to the U.S. Department of Health and Human Services.

FBI Director Christopher Wray said earlier this month that hackers backed by the Iranian government targeted Boston Children’s Hospital. The FBI said no ransomware was deployed and authorities worked with the hospital to avert major problems.

Nearly 45 million Americans were affected by breaches involving private health information in 2021, up from 34 million in 2020, according to a report by Critical Insight, a cybersecurity company. Millions of Americans have already been affected by breaches reported this year.

The average cost of a healthcare breach climbed to $9.4 million in 2021, an increase of $2 million over the previous year, according to a report by IBM.

Linda Stevenson, chief information officer of Fisher-Titus Health in Ohio, offers some tips for smaller health systems to improve their cybersecurity in an interview with Chief Healthcare Executive in March.