The Supply Chain Attack Timeline
The modern era of supply chain attacks begins with SolarWinds in December 2020. Russian-linked attackers compromised the build pipeline for SolarWinds Orion, injecting the SUNBURST backdoor into a routine software update. Over 18,000 organisations installed the compromised update, including multiple US government agencies. In March 2023, the 3CX desktop client — used by over 600,000 organisations — was compromised through an earlier supply chain attack on a trading software vendor, creating an unprecedented chain of supply chain attacks. In May 2023, the Cl0p ransomware group exploited a zero-day in MOVEit Transfer, exfiltrating data from over 2,600 organisations including the BBC, British Airways, and Boots. In March 2024, a Microsoft engineer discovered a sophisticated backdoor planted in xz-utils, a compression library embedded in virtually every Linux distribution — planted over two years by an attacker who had patiently gained maintainer trust.
Why Supply Chain Attacks Are So Effective
Supply chain attacks exploit the most fundamental assumption in security: that your trusted software is trustworthy. Organisations invest heavily in protecting their own infrastructure but implicitly trust the software they install and the vendors they connect to. When attackers compromise the supply chain, they bypass every perimeter control because the malicious payload arrives through a legitimate, expected channel. A software update from a trusted vendor passes through firewalls, is approved by change management, and is installed by IT teams following best practice. The attack surface is not the victim's infrastructure — it is the entire ecosystem of vendors, open-source libraries, and third-party services that the organisation depends on. ENISA's 2025 Threat Landscape report found that 62% of supply chain attacks exploited the trust relationship between the victim and their supplier.
- SolarWinds (2020): 18,000 organisations via compromised software update
- 3CX (2023): supply chain attack caused by an earlier supply chain attack
- MOVEit (2023): 2,600+ organisations via zero-day in file transfer tool
- xz-utils (2024): backdoor planted by attacker who spent 2 years gaining trust
- Common thread: exploitation of trusted software distribution channels
The Open-Source Dimension
The xz-utils incident exposed a systemic vulnerability in the software supply chain. Critical infrastructure — including the Linux kernel, OpenSSL, and thousands of foundational libraries — is maintained by small teams or even individual developers, often as unpaid volunteers. The xz-utils backdoor was planted by an attacker who spent over two years contributing legitimate patches to earn maintainer status, then inserted the backdoor once they had commit access. This was not a technical exploitation — it was social engineering at the infrastructure level. The Linux Foundation estimates that the average enterprise application contains 70-80% open-source code, making every organisation dependent on the security of projects they may never have heard of. Addressing this requires investment in open-source security foundations, software composition analysis, and build pipeline integrity verification.
Defending Against Supply Chain Attacks
No single control prevents supply chain attacks, but a layered approach significantly reduces risk. Third-party risk management platforms like Panorays provide continuous visibility into your supplier ecosystem, assessing their security posture and alerting you to changes. Software composition analysis tools identify every open-source dependency in your applications and track known vulnerabilities. Build pipeline security — including signed commits, reproducible builds, and provenance verification — makes it harder for attackers to inject malicious code. Anti data exfiltration technology like BlackFog ensures that even when a supply chain compromise grants attackers access to your network, they cannot extract data. And Zero Trust architecture reduces the blast radius by ensuring that compromised software cannot move laterally to access systems beyond its legitimate scope.
What Should UK Businesses Do Now?
Start with visibility. You cannot manage supply chain risk you cannot see. Conduct a thorough inventory of every software vendor, cloud service, open-source library, and third-party integration your organisation depends on. Deploy a third-party risk management platform to continuously monitor your critical suppliers. Implement software composition analysis in your development pipeline. Review your patching process — the MOVEit attack exploited a zero-day, but many supply chain attacks exploit known vulnerabilities in widely deployed software that simply was not patched in time. Finally, adopt the assumption that a supply chain compromise will eventually occur, and build your defences accordingly: network segmentation, least-privilege access, anti data exfiltration, and a tested incident response plan.
Frequently Asked Questions
What is a supply chain attack?
A supply chain attack compromises an organisation by targeting a less-secure element in their supply chain — typically a software vendor, open-source library, or third-party service provider. Instead of attacking the victim directly, attackers compromise the trusted supplier and use that access to reach the ultimate target.
How can I assess my supply chain risk?
Start with a comprehensive inventory of all software, services, and third-party integrations. Use a third-party risk management platform like Panorays to continuously assess supplier security postures. Implement software composition analysis to track open-source dependencies. And ensure contracts with critical suppliers include security requirements and audit rights.
Was the xz-utils backdoor actually deployed?
The xz-utils backdoor was detected before it reached stable Linux distributions, thanks to a Microsoft engineer who noticed unusual SSH performance behaviour. It was present in beta and rolling-release distributions but was caught before reaching production releases of major distributions like Ubuntu, Debian stable, and Red Hat Enterprise Linux.