State-backed cyber threat groups are increasingly targeting large organizations by first attacking smaller subcontractor firms with weak security. These groups cannot always reach major targets directly, so they use these vulnerable third parties as entry points. This trend highlights the need for stronger global cooperation and layered defense strategies.
Supply chain attacks work by compromising trusted suppliers such as software developers, hardware vendors, or service providers. Through this method, hackers insert malicious code into software updates or remote access tools. Over recent years, such attacks have exposed thousands of organizations and leaked millions of people’s personal data.
The SolarWinds breach in 2020 brought this attack method into the global spotlight. It demonstrated how hackers could access multiple targets through a single compromised supplier.
Dmitry Galov, head of Kaspersky’s Global Research and Analysis Team, told Anadolu Agency that state-backed Advanced Persistent Threat (APT) groups have grown much more sophisticated in the past year. He pointed to a recent example involving the XZ vulnerability, which affected thousands of Linux servers. Attackers spent years manipulating developers of the open-source XZ Utils software to implant a hidden backdoor. This backdoor allowed hackers to bypass SSH authentication and gain remote access.
“Each supply chain attack is highly customized for the victim that interests the attacker, so it is difficult to predict their next move,” Galov explained. “They spent several years using social engineering to manipulate developers before moving on to technically backdooring the software.”
To defend against such threats, Kaspersky uses behavioral analysis and AI-driven detection tools. These technologies can spot and block harmful code, even if it comes from trusted software.
Galov stressed that supply chain attacks often start with smaller subcontractors. “Major companies usually have strong cybersecurity,” he said. “So attackers go after subcontractors with weaker defenses. Once inside, they move on to the main target.”
Subcontractors are easier targets because they invest less in protection. They also often have access privileges to the larger company’s systems or networks or provide critical software updates.
To reduce risk, Galov advises big companies to assess the cybersecurity of their vendors through methods like penetration testing. Strict audits of all incoming software are also essential. “You cannot install software without verifying its security,” he said. “It is also important to track who has access to what and why.”
Kaspersky has created a scanner to detect malicious code in open-source software libraries. “We check every update from major repositories,” Galov said. “Then we provide this information to clients so they can confirm the safety of their software.”
Galov described cybersecurity as a continuous “race” between attackers and defenders. “Cybercriminals quickly adopt new technologies. AI, machine learning, and large language models are tools used by both sides. We must stay ahead.”
He noted regional differences in cybersecurity readiness. “The Middle East shows good awareness and preparedness. But in parts of Africa, where digital infrastructure is still developing, attackers can do significant damage.”
This unevenness makes global cooperation and intelligence sharing vital. “We publish detailed reports on every cybercriminal campaign and technique,” Galov said. “This helps others prepare better defenses.”
He ended with a caution: “No single technology can stop supply chain attacks. It requires multiple layers of defense and cooperation between governments, cybersecurity firms, and users.”
