In December 2020, security firm FireEye discovered that SolarWinds — a company most people had never heard of — had been compromised by a threat actor who injected malicious code into a routine software update. That single update shipped to roughly 18,000 organizations, including the U.S. Treasury, the Department of Homeland Security, and Fortune 500 companies. Nobody saw it coming because nobody was looking at the supply chain. These supply chain attack examples aren't theoretical — they represent some of the most devastating breaches in modern history, and they're accelerating.
This post walks through seven real-world supply chain attacks, breaks down exactly how each one worked, and gives you practical steps to reduce your own exposure. If your organization relies on any third-party software, hardware, or managed service — and you do — this is required reading.
What Is a Supply Chain Attack?
A supply chain attack targets the weakest link in your vendor ecosystem instead of attacking you directly. The threat actor compromises a supplier, software provider, or service partner, then uses that trusted relationship to reach the real target — your organization.
Think of it this way: instead of breaking through your front door, the attacker poisons the food delivery you already ordered. You invited it in yourself.
These attacks are especially dangerous because they exploit trust. Your security team vetted the vendor. Your firewall rules allow the connection. Your employees expect the update. The Verizon 2023 Data Breach Investigations Report found that supply chain attacks accounted for 15% of all breaches in the past year — a 68% increase year over year.
7 Real Supply Chain Attack Examples That Shook the Industry
1. SolarWinds Orion (2020)
The SolarWinds attack remains the gold standard of supply chain compromises. A threat actor — attributed to Russia's SVR intelligence service — gained access to SolarWinds' build environment and inserted a backdoor called SUNBURST into the Orion IT monitoring platform. The trojanized update was digitally signed and distributed through normal channels.
Roughly 18,000 organizations installed the compromised update. The attackers then selectively targeted around 100 organizations for deeper exploitation, including multiple U.S. government agencies. The attack went undetected for at least nine months.
The key lesson: digital signatures don't guarantee integrity if the build pipeline itself is compromised.
2. Kaseya VSA Ransomware Attack (2021)
In July 2021, the REvil ransomware gang exploited a zero-day vulnerability in Kaseya's VSA remote management software. Because managed service providers (MSPs) used Kaseya to manage their clients' systems, the attack cascaded downstream to an estimated 1,500 businesses worldwide.
Swedish grocery chain Coop had to close nearly 800 stores because their point-of-sale systems were encrypted. The attackers initially demanded $70 million in Bitcoin for a universal decryptor.
This attack showed that compromising a single MSP tool can give a threat actor access to thousands of endpoints simultaneously.
3. NotPetya via M.E.Doc (2017)
NotPetya is arguably the most destructive cyberattack in history, causing an estimated $10 billion in damages globally. It started with a compromised update to M.E.Doc, a Ukrainian tax accounting software used by virtually every company doing business in Ukraine.
The malware spread laterally using the EternalBlue exploit and credential theft techniques. Shipping giant Maersk lost nearly its entire IT infrastructure. Pharmaceutical company Merck reported $870 million in losses. FedEx subsidiary TNT Express took months to recover.
NotPetya proved that a supply chain attack targeting a small, regional software vendor can trigger global catastrophe.
4. Codecov Bash Uploader (2021)
In January 2021, attackers modified Codecov's Bash Uploader script — a tool used by developers to submit code coverage reports. The modified script exfiltrated environment variables, including credentials, API tokens, and keys from CI/CD pipelines.
The breach went undetected for two months. Codecov had roughly 29,000 customers at the time, including major enterprises like Twilio, HashiCorp, and others who later disclosed secondary compromises.
This attack specifically targeted the software development pipeline — making it a supply chain attack against supply chains themselves.
5. Target Breach via HVAC Vendor (2013)
The Target breach is one of the earliest and most instructive supply chain attack examples. Attackers compromised Fazio Mechanical Services, a small HVAC contractor that had network access to Target's systems for electronic billing and project management.
Using stolen credentials from Fazio, the attackers pivoted into Target's network, eventually installing malware on point-of-sale systems across 1,800 stores. Approximately 40 million credit and debit card numbers were stolen, along with personal information for 70 million customers. Target's total costs exceeded $200 million.
The lesson is still relevant a decade later: your security is only as strong as your least-secure vendor's credentials.
6. ASUS Live Update (Operation ShadowHammer, 2019)
Kaspersky researchers discovered that ASUS's official Live Update utility had been trojanized between June and November 2018. The malicious update was signed with legitimate ASUS certificates and pushed to approximately one million users.
The clever twist: the malware only activated on machines with specific MAC addresses — roughly 600 targets. This made the attack incredibly difficult to detect because the vast majority of infected machines showed no malicious behavior.
Operation ShadowHammer demonstrated that even hardware manufacturers' update mechanisms can be weaponized for highly targeted espionage.
7. 3CX Desktop App Compromise (2023)
In March 2023, 3CX — a VoIP software provider with over 600,000 customers — disclosed that its desktop application had been trojanized. Researchers traced the compromise back to a North Korean threat actor. The attack was particularly notable because it was a cascading supply chain attack: the 3CX breach itself originated from a compromised installer for X_Trader, a trading software platform.
This was a supply chain attack that started with another supply chain attack — a chilling escalation in complexity that CISA flagged as a significant emerging threat pattern.
Why Supply Chain Attacks Are Accelerating in 2023
Three forces are converging to make supply chain attacks more common and more damaging.
Software complexity is exploding. The average enterprise application relies on hundreds of open-source libraries and third-party components. Each one is an entry point. The Log4Shell vulnerability in late 2021 showed how a single flaw in an obscure logging library could expose millions of systems.
Attackers are getting better ROI. Why spend months targeting one organization when you can compromise a single vendor and reach thousands? Threat actors have done the math, and the economics favor supply chain attacks overwhelmingly.
Visibility gaps persist. Most organizations still don't maintain a complete software bill of materials (SBOM). You can't defend what you can't see. Executive Order 14028, signed in May 2021, pushed federal agencies toward requiring SBOMs from vendors, but adoption in the private sector remains slow.
How Do Supply Chain Attacks Actually Work?
Supply chain attacks typically follow one of four patterns:
- Compromised software updates: The attacker injects malicious code into a legitimate update (SolarWinds, ASUS, 3CX).
- Stolen vendor credentials: The attacker uses a third party's access to pivot into the target environment (Target).
- Trojanized development tools: The attacker poisons tools used in the build or deployment pipeline (Codecov).
- Exploited vendor software vulnerabilities: The attacker finds a zero-day in a widely deployed vendor product (Kaseya).
In every case, the common thread is trust. The malicious payload arrives through a channel the target organization has already approved.
The $4.45M Question: How Do You Defend Against This?
IBM's 2022 Cost of a Data Breach Report pegged the average breach cost at $4.35 million. That number climbed to $4.45 million in early 2023 reports. Supply chain breaches tend to cost significantly more because they take longer to detect and affect more systems. Here's what actually works.
Adopt Zero Trust Architecture
Zero trust means no implicit trust — not for users, not for devices, and not for vendor software. Every connection, update, and API call should be verified. The NIST Zero Trust Architecture framework (SP 800-207) provides a solid starting point.
In practice, this means segmenting vendor access, implementing multi-factor authentication for all privileged accounts, and monitoring lateral movement obsessively.
Require Software Bills of Materials
You need to know what's inside the software you deploy. An SBOM lists every component, library, and dependency. When the next Log4Shell hits, you'll know in hours — not weeks — whether you're exposed.
Start requiring SBOMs from your top 20 vendors. It's a reasonable ask, and the vendors who resist that transparency are the ones you should worry about most.
Vet Your Vendors Like You Vet Your Employees
Most organizations run background checks on new hires but give third-party vendors a questionnaire and call it due diligence. That's not enough. You should be reviewing vendors' security practices, incident history, and access requirements on a recurring basis — not just at onboarding.
Ask hard questions: How do they secure their build environment? Do they use code signing with hardware security modules? What's their incident response plan?
Monitor for Anomalous Behavior
The SolarWinds attack went undetected for nine months. The Codecov breach ran for two months. Detection speed is everything. Deploy endpoint detection and response (EDR) tools that can flag unusual behavior even from trusted software.
Behavioral analytics beat signature-based detection every time when it comes to supply chain compromises. The malware is signed, approved, and expected — only its behavior betrays it.
Train Your People to Recognize Social Engineering
Supply chain attacks don't always start with code. Sometimes they start with a phishing email to a vendor employee, or a social engineering call that harvests credentials. The human element remains the most exploitable layer.
I've seen organizations invest millions in perimeter security while ignoring basic cybersecurity awareness training for their own staff and their vendors' staff. That's a gap attackers exploit daily.
Phishing simulations are one of the most effective ways to build resistance. If your team hasn't run one recently, phishing awareness training for organizations is a practical place to start.
What Should You Do Right Now?
You don't need a six-month project to start reducing supply chain risk. Here are five actions you can take this week:
- Inventory your third-party software and vendor connections. You can't protect what you haven't mapped.
- Enable multi-factor authentication on every account with vendor access. Credential theft is the entry point in a significant percentage of supply chain attacks.
- Review and restrict vendor network access. Apply least privilege. If your HVAC vendor doesn't need access to your POS network, cut it.
- Run a phishing simulation. Test your employees' ability to spot social engineering attempts that could compromise your own supply chain.
- Subscribe to CISA alerts. The Cybersecurity and Infrastructure Security Agency publishes timely advisories when major supply chain compromises are discovered.
Supply Chain Security Is Everyone's Problem
These supply chain attack examples share a common truth: the targeted organizations did nothing wrong in the traditional sense. They used reputable vendors. They installed signed updates. They followed standard practices. And they still got breached.
That's what makes supply chain attacks fundamentally different from other threats. You can't firewall your way out of this. You need visibility into your vendor ecosystem, behavioral monitoring that catches trusted software acting untrusted, and a security culture that extends beyond your own walls.
The threat actors behind SolarWinds, NotPetya, and 3CX aren't slowing down. They're studying your vendors right now, looking for the one with the weakest build pipeline, the one employee who'll click a phishing link, the one update mechanism that skips integrity checks.
Your move.