Supply Chain Data Exfiltration Attacks: SolarWinds, MOVEit and the Trusted Channel Problem

Anatomy of a Supply Chain Exfiltration Attack

Supply chain attacks exploit the trust relationship between organisations and their software vendors. Rather than attacking the target directly, the attacker compromises a product or service that the target already trusts, has already whitelisted, and has already granted network access. The malicious code runs with the same privileges as the legitimate software, communicates through the same network channels, and is invisible to security tools that have been configured to trust it. This is why supply chain attacks are so devastating — they weaponise the very trust model that security architectures depend on.

SolarWinds Sunburst: The Template for Supply Chain Espionage

In December 2020, FireEye disclosed that attackers had compromised SolarWinds' Orion build system, injecting a backdoor (Sunburst) into software updates distributed to approximately 18,000 organisations — including the US Treasury, Commerce Department, and Homeland Security. The attackers, attributed to Russia's SVR intelligence service, operated undetected for 14 months. They selectively exfiltrated data from high-value targets while remaining dormant in thousands of others. The update was digitally signed by SolarWinds, passed all integrity checks, and was actively recommended for installation. Victims were compromised by following their vendor's own security guidance.

MOVEit: Mass Exploitation Without Malware Deployment

The Cl0p group's MOVEit campaign was different from traditional supply chain attacks in a critical way — they exploited a vulnerability in the product itself rather than injecting malicious code into an update. A SQL injection flaw in MOVEit Transfer allowed Cl0p to access and exfiltrate data stored in the application without deploying any malware. Victims included the BBC, British Airways, Boots, Ernst & Young, the US Department of Energy, and hundreds of government agencies. Because no malware was deployed, many organisations had no forensic indicators of compromise beyond the access logs of the MOVEit application itself. By the time the vulnerability was disclosed, the data was already gone.

3CX: Cascading Supply Chain Compromise

The 3CX attack of March 2023 demonstrated a new evolution — a supply chain attack caused by another supply chain attack. Attackers first compromised Trading Technologies' X_TRADER software, then used that access to infiltrate 3CX, a VoIP provider with 600,000 business customers. The trojanised 3CX desktop application was distributed to an estimated 12 million users. Attributed to North Korea's Lazarus Group, this cascading compromise showed that supply chain attacks can chain through multiple vendors, making root cause analysis extraordinarily difficult and expanding the blast radius exponentially.

Defending Against Supply Chain Exfiltration

Traditional perimeter security is ineffective against supply chain attacks because the malicious activity originates from trusted software within the network. A defence-in-depth approach requires controls at multiple layers:

• Anti Data Exfiltration (ADX): BlackFog monitors and blocks data leaving devices to unauthorised destinations — even when the exfiltration is performed by otherwise trusted software
• Vendor risk assessment: continuous monitoring of your supply chain's security posture using tools like Panorays, not one-time questionnaires
• Network segmentation: limit the blast radius by ensuring that compromised software in one segment cannot access data in others
• Zero-trust architecture: verify every access request regardless of whether it originates from trusted software or infrastructure
• Software bill of materials (SBOM): maintain an inventory of all software components and their dependencies to rapidly assess exposure when a supply chain vulnerability is disclosed
• Egress monitoring: monitor and restrict outbound connections, even from trusted applications, to detect anomalous data transfers