Supply Chain Attacks: When Service Providers Become the Gateway

With NIS2, a topic that has long received comparatively little attention is moving into the spotlight: supply chain security.

Even when an organisation’s systems, processes and security controls are well protected, vulnerabilities at external partners can provide attackers with an entry point. As a result, IT and security teams must look beyond their own infrastructure and consider risks that originate outside their organisational boundaries.

From Direct Attacks to the One-to-Many Principle

Cybercriminals and state-sponsored threat actors increasingly operate according to economic principles. Direct attacks against well-protected organisations are often time-consuming and resource-intensive while service providers and other organisations within the supply chain offer a far more attractive alternative: if a single partner’s infrastructure is compromised, attackers may gain access to numerous customer environments at the same time.

ENISA has consistently identified supply chain attacks as one of the most significant cybersecurity threats facing businesses and public-sector organisations. What makes these attacks particularly dangerous is their ability to bypass traditional security controls by exploiting trusted relationships.

The SME Dilemma

Small and medium-sized enterprises (SMEs) face a double challenge when it comes to supply chain attacks. On the one hand, they often rely heavily on external service providers. On the other, they frequently serve as stepping stones to larger organisations, critical infrastructure operators and government entities.

A compromised email account or a hijacked service provider connection may be all an attacker needs to launch convincing phishing or business email compromise (BEC) campaigns against larger targets.

Common Attack Scenarios Involving Service Providers

Service providers are not targeted at random. Attackers tailor their methods to the technologies and processes that organisations rely on.

• Compromising Remote Monitoring and Management (RMM) Platforms
  IT service providers commonly use Remote Monitoring and Management (RMM) solutions to administer customer environments. If attackers obtain credentials or exploit vulnerabilities within these platforms, they can deploy malware or ransomware directly to customer endpoints. Because RMM tools are recognised as legitimate administrative software, malicious activity can remain undetected for extended periods. This approach resembles so-called „Living off the Land“-techniques, where attackers abuse trusted tools already present in the environment.
• Tampered Updates and Compromised Development Pipelines
  In this scenario, attackers infiltrate a software vendor’s development environment and insert malicious code into legitimate software updates. Because the software continues to be digitally signed with valid certificates, it typically raises little suspicion among customers. The SolarWinds incident in 2020 remains one of the most prominent examples of this type of supply chain attack.
• Abuse of External Support Interfaces
  Many organisations maintain permanent maintenance connections, VPN tunnels or API interfaces for external service providers. If these connections are insufficiently monitored or secured, they can serve as an initial access vector and a channel for data exfiltration.
• Identity and Cloud Account Attacks
  Compromised cloud accounts belonging to service providers can provide attackers with direct or indirect access to customer environments without requiring them to bypass traditional security controls. Stolen credentials, compromised single sign-on (SSO) solutions and successful multi-factor authentication (MFA) bypasses are among the most common attack methods used today.

NIS2: Supply Chain Security Becomes a Management Responsibility

The regulatory response to this threat landscape is clear. The NIS2 Directive places greater emphasis on supply chain security as part of an organisation’s overall risk management strategy.

Affected organisations must systematically assess risks arising from suppliers and service providers and demonstrate that appropriate safeguards are in place.

In practice, this means:

• Security requirements in contracts: Security expectations should be formally defined in agreements with suppliers and service providers.
• Supply chain risk assessments: Organisations must evaluate the risks associated with the products, services and access privileges provided by third parties.
• Cascading effects: Even organisations that do not fall directly under NIS2 are increasingly required to meet security expectations imposed by customers and business partners.
• Management accountability: NIS2 strengthens the responsibility of executive leadership and governing bodies. Appropriate security measures must be actively overseen and demonstrably documented.

Practical Measures for Administrators

Supply chain security starts with visibility and control. The following measures should form part of every cybersecurity strategy:

1. Inventory and Review of Third-Party Access
   • Which external partners have access to your environment?
   • Which systems can they reach?
   • Are there outdated or unnecessary accounts that should be removed?
2. Enforce Multi-Factor Authentication
   • VPN access
   • Cloud services
   • Remote administration platforms
3. Apply the Principle of Least Privilege
   • Avoid permanent administrative privileges
   • Eliminate shared accounts
   • Grant time-limited access wherever possible
4. Monitor Third-Party Activity
   • Log administrative actions
   • Integrate monitoring with SIEM solutions
   • Implement session monitoring and alerting
5. Regularly Assess Suppliers
   • Security certifications (e.g. ISO 27001)
   • Incident response capabilities
   • Security policies and compliance evidence
6. Establish Emergency Procedures
   • How can third-party access be disabled immediately during an incident?
   • Who are the designated contacts on both sides?
   • Which systems would be affected?

Supply chain risks are not limited to cyberattacks. Technical failures and misconfigurations at critical service providers can also have significant consequences. The global CrowdStrike outage in July 2024 demonstrated how a faulty update from a single vendor can disrupt thousands of organisations simultaneously — even without a cyberattack.

Conclusion: Trust Is Good, Verification Is Essential

Protecting internal systems remains the foundation of any effective cybersecurity strategy. At the same time, organisations must address risks that originate beyond their own infrastructure.

External connections should never be treated as automatically trustworthy. Zero Trust principles, least privilege, continuous monitoring and systematic supply chain risk assessments are increasingly becoming standard practice in modern cybersecurity programmes.

Sources:

https://www.bsi.bund.de/DE/Themen/Regulierte-Wirtschaft/NIS-2-regulierte-Unternehmen/NIS-2-Infopakete/NIS-2-Lieferkette/NIS-2-Lieferkette_node.html
https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025>
https://www.nis.gv.at/nis-2-richtlinie.html