When we’re called in to investigate a cyber incident, most organisations focus on one thing — getting back online quickly. That’s understandable because operations stop, customers must wait, and the pressure is immense. But what’s often overlooked in the urgency of recovery is the initial entry point of the attacker.
In nearly one-third of the European incidents Unit 42® investigated over the past year, the breach began inside an organisation’s supply chain. These attacks exploit a supplier, a partner or a service provider to reach the real target. This finding, however, doesn’t factor in that most of these attacks are never reported as supply-chain incidents because tracing the origin requires time and resources that few have. The result is a dangerous blind spot.
Other data shows that the supply chain threats are rising fast, with estimates of a 100% YoY increase. And, they are appearing as the no. 2 emerging threat. The true scale is far greater than any reporting will show.
The Weakest Link Principle in Action
Today’s enterprises depend on vast digital ecosystems. Each one connects to hundreds, sometimes thousands, of third-party suppliers. Every connection — an API, a shared database or a remote maintenance tool — is a potential doorway.
Attackers know this. They don’t need to batter down a heavily defended front gate when a side door is wide open. Smaller suppliers often lack the layered defences or monitoring that large organisations regard as a minimum standard. A single compromise in a trusted vendor can cascade through the entire network.
We’ve seen this play out in striking ways. During a global sporting event, a compromised content provider allowed hackers to hijack commercial screens across a major European city, pushing propaganda at scale. In another case, attackers breached the CCTV infrastructure of a pharmaceutical company, creating remote access to sensitive R&D facilities. And another attack was far more targeted and nefarious. The attackers hid a Trojan in a digital car sales flyer that reached embassy staff in Ukraine via an everyday notice board. Each one started with a trusted supplier and ended with a significant downstream breach.
Why the Threat Is Accelerating
Several forces are converging to make supply-chain compromises the attack vector of choice.
The first is economic asymmetry. The cost to launch an attack is far cheaper than the cost to defend against them. Breaching a small supplier with weaker defences is easier and costs an attacker little more than time and patience, while defending a global enterprise obviously requires massive investment. The payoff for this patience can be huge. It takes just one successful supplier breach to unlock access to multiple downstream targets.
The second is AI acceleration. Threat actors now use AI-driven reconnaissance tools to scan the internet to map who connects to whom and identify potential supply chain weaknesses. With ransomware as a service and access brokers selling credentials on demand, the barrier to entry has never been lower.
For example, such groups as Muddled Libra (also known as Scattered Spider) use these tools with devastating effect. In one incident we investigated, a business-process outsourcing firm faced five separate attacks in a single week. Each one attempted to exploit a different route through its partner network.
Finally, digital overextension is multiplying the attack surface. Every new SaaS integration, data-sharing partnership or outsourced process adds complexity and dependency. As ecosystems grow, visibility diminishes, and unseen risk thrives in the shadows.
How a Supply Chain Attack Unfolds
The anatomy of these attacks is increasingly familiar. It begins with reconnaissance. Automated scanning is used to find outdated software, exposed credentials or misconfigured services in third-party systems. Once inside, the attacker studies the environment, looking for connections to higher-value organisations. The supplier is rarely the end goal, but rather the stepping stone.
From there, the attacker moves laterally. They might use stolen credentials to access shared cloud storage or embed malicious code in a software update. Eventually, they reach a target that holds sensitive data or operational control. Extortion follows, often a threat to leak data, disrupt operations or report the breach to regulators to trigger fines and reputational damage.
Who’s Being Targeted?
The most frequent targets that we’ve observed are in high-tech and financial services. These sectors handle valuable data and depend on an array of vendors. But they’re not alone. Law firms and professional services providers, both rich in confidential client material, have become prime targets due to their connections to blue-chip enterprises. Luxury brands are also on the list, often attacked indirectly to reach the personal data of high-net-worth clients.
Besides following the money, attackers are following connectivity. The more an organisation interacts with others, the more routes exist to reach it.
The Case for Cyber Altruism
Traditional security thinking stops at the enterprise boundary. We protect what we own and manage. But that approach no longer works when exposure extends across hundreds of suppliers.
Unit 42 advocates for “cyber altruism” — the idea that larger organisations should extend enterprise-grade protection, tooling and expertise downstream to smaller partners. Cyber altruism is enlightened self-interest. Every weak link in your supply chain is a potential breach in your own.
Cyber altruism means mapping dependencies, identifying weak links and sharing security. It might involve providing smaller vendors with access to secure file-transfer tools, threat-intelligence feeds or incident-response playbooks. Or, it can mean including minimum security standards in contracts or offering cofunded training. Anchor enterprises typically lead this work, since they have the most to lose if a partner is breached.
When done well, the benefits are collective. Risk is reduced across the ecosystem, resilience improves and trust deepens. Organisations that take this approach are also likely to gain competitive advantage. Customers and regulators increasingly expect visible due diligence on supply chain security.
A Shared Responsibility
Supply chain security cannot rely on disclosure alone. Under-reporting will continue as long as investigations prioritise restoration over origin. But we can change what happens next.
Leaders should start by asking three simple questions:
- Do we know every digital dependency we have? Map suppliers, partners and service providers, however small.
- Where are the weak links? Assess vulnerabilities and fix them before adversaries do.
- How are we supporting our ecosystem? Extend safeguards and knowledge to those who need it most.
The reality is that one weak link can compromise an entire ecosystem. Recognising that interdependence is the first step toward resilience.
Looking Ahead
The growth of connected supply chains has transformed how business is done, but it has also created a perfect storm for attackers. Economic imbalance, rapid AI adoption and endless digital interconnections have tilted the field in their favour.
Rebalancing it requires technology and demands collaboration, visibility and shared accountability. Cyber altruism captures that mindset — pragmatic, collective and focused on protecting everyone who depends on the chain.
We can’t fix what we can’t see. But, once we look beyond the tip of the iceberg, we can start strengthening what lies beneath.
Read the Unit 42 Global Incident Response Report here.
