Supply Chain Attack Examples That Changed Cybersecurity

In December 2020, security firm FireEye disclosed that threat actors had compromised SolarWinds' Orion software platform — and with it, roughly 18,000 organizations that installed a poisoned update. Government agencies, Fortune 500 companies, and critical infrastructure operators all got hit through a single trusted vendor. That's the terrifying math of a supply chain attack: compromise one, breach thousands.

This post breaks down the most consequential supply chain attack examples from recent years, explains exactly how each one worked, and gives you a concrete defense playbook. If your organization relies on third-party software, managed services, or open-source libraries — and it does — this is required reading.

What Is a Supply Chain Attack?

A supply chain attack targets the trusted relationships between organizations and their vendors, suppliers, or software providers. Instead of attacking you directly, the threat actor compromises a product or service you already trust. When you install the update, import the library, or connect the integration, you invite the attacker inside your perimeter.

The Verizon 2024 Data Breach Investigations Report found that supply chain interconnections were a factor in 15% of breaches — a 68% increase over the prior year. That trajectory hasn't slowed. The attack surface keeps expanding as organizations adopt more SaaS tools, open-source dependencies, and cloud-managed services.

SolarWinds: The Supply Chain Attack That Woke Up the World

No list of supply chain attack examples is complete without SolarWinds. Russian intelligence operatives (tracked as APT29/Cozy Bear) injected malicious code into the build process for SolarWinds' Orion platform. The poisoned update, dubbed SUNBURST, was digitally signed and distributed through SolarWinds' legitimate update servers between March and June 2020.

Once installed, SUNBURST established a backdoor that communicated with attacker-controlled servers using DNS traffic designed to blend in with normal Orion telemetry. The attackers then moved laterally, targeting email systems and identity infrastructure.

Who Got Hit

The U.S. Treasury Department, Department of Homeland Security, Department of Commerce, and parts of the Pentagon all confirmed breaches. Private-sector victims included Microsoft, Intel, and Cisco. The full scope remains partially classified.

What Made It So Effective

The malicious code was embedded in the software build pipeline — not just the final product.
The update was digitally signed, so standard verification passed.
The malware waited 12-14 days before activating, evading sandbox analysis.
DNS-based command and control blended with legitimate network traffic.

CISA published Emergency Directive 21-01 ordering federal agencies to disconnect affected systems immediately. It was the clearest signal yet that software supply chain security had become a national security priority.

Kaseya VSA: Ransomware Through a Trusted Management Tool

On July 2, 2021, the REvil ransomware gang exploited vulnerabilities in Kaseya's VSA remote monitoring and management platform. Managed service providers (MSPs) use VSA to administer client networks. By compromising Kaseya, REvil gained access to the downstream customers of those MSPs.

The result: between 800 and 1,500 businesses worldwide were hit with ransomware in a single weekend. Swedish grocery chain Coop had to close 800 stores because its point-of-sale systems were encrypted. REvil initially demanded $70 million for a universal decryptor.

The MSP Multiplier Effect

This attack demonstrated the cascading risk of managed service providers. One compromised tool at one MSP doesn't just affect that MSP — it fans out to every client they manage. If your organization uses an MSP, their security posture is your security posture.

3CX: When Your Business Phone System Is the Weapon

In March 2023, security researchers discovered that 3CX's desktop client — used by over 600,000 organizations — had been trojanized. The compromised installer was digitally signed by 3CX and distributed through their official update channels.

The investigation revealed something even more unusual: the 3CX compromise was itself the result of a supply chain attack. An employee had installed a trojanized version of X_TRADER, a financial trading application made by Trading Technologies. North Korean threat actors (tracked as Lazarus Group) had compromised Trading Technologies first, then used that access to eventually reach 3CX's build environment.

A supply chain attack that caused a supply chain attack. That's the kind of chained risk that keeps security teams up at night.

NotPetya: $10 Billion in Damage Through a Tax Software Update

In June 2017, Russian military intelligence (GRU) compromised M.E.Doc, a Ukrainian accounting software platform used for tax reporting. A malicious update pushed the NotPetya wiper malware to M.E.Doc's users. NotPetya spread laterally using the EternalBlue exploit and credential harvesting.

Though it targeted Ukraine, NotPetya went global. Maersk lost 49,000 laptops and had to rebuild its entire network. FedEx subsidiary TNT Express took a $400 million hit. Pharmaceutical giant Merck reported $870 million in damages. Total estimated global cost: over $10 billion.

NotPetya remains one of the most destructive supply chain attack examples in history — and a stark reminder that geographic targeting means nothing when code is connected.

Codecov: Poisoning the CI/CD Pipeline

In January 2021, attackers modified Codecov's Bash Uploader script — a tool used by developers to submit code coverage reports during automated builds. The compromised script exfiltrated environment variables, which often contain API tokens, credentials, and keys for cloud services, source code repositories, and internal systems.

The breach went undetected for two months. Codecov reported that hundreds of customers were affected. Because environment variables in CI/CD pipelines often hold the keys to the kingdom, the blast radius extended far beyond Codecov itself. Companies like Twilio, HashiCorp, and Confluent disclosed that they were affected.

Why Developers Are Prime Targets

Threat actors increasingly target developer tools and build systems because they sit upstream of everything. Compromise the pipeline, and you compromise every artifact it produces. This is why software bill of materials (SBOM) requirements — pushed by NIST's response to Executive Order 14028 — have become critical for supply chain security.

How Do You Defend Against Supply Chain Attacks?

There's no single control that stops supply chain attacks. But layered defenses significantly reduce your exposure. Here's what actually works.

Adopt Zero Trust Architecture

Zero trust assumes that no user, device, or application is inherently trusted — even if it's inside your network, even if it came from a vendor you've used for years. Implement least-privilege access, micro-segmentation, and continuous verification. If SolarWinds taught us anything, it's that "trusted" software can be weaponized.

Require Multi-Factor Authentication Everywhere

Credential theft is the starting point for most lateral movement after a supply chain compromise. Multi-factor authentication blocks the majority of credential-based attacks. Enforce it for every user, every admin console, and every API integration. No exceptions.

Vet Your Vendors Like You Vet Your Employees

Require vendors to demonstrate SOC 2 Type II compliance or equivalent.
Contractually mandate breach notification timelines.
Review vendor access quarterly — remove integrations you no longer use.
Ask vendors about their software development lifecycle security controls.

Monitor for Anomalies, Not Just Signatures

SUNBURST evaded signature-based detection for months. Behavioral monitoring — unusual DNS patterns, unexpected outbound connections, abnormal process execution — catches what signatures miss. Invest in endpoint detection and response (EDR) and network detection and response (NDR) tools that use behavioral analytics.

Implement Software Bill of Materials (SBOM)

You can't defend what you can't see. Maintain a current inventory of every software component, library, and dependency in your environment. When the next Log4Shell or XZ Utils vulnerability drops, you need to know within hours — not weeks — whether you're affected.

Many supply chain attacks begin with a phishing email or social engineering attack against a vendor employee. Your organization's security awareness training shouldn't stop at your own employees. Encourage your vendors to invest in training, and make sure your own team understands how phishing simulations and awareness training reduce the risk of credential theft that enables these attacks.

Building a culture of security awareness starts with consistent, practical education. Our cybersecurity awareness training program covers the social engineering tactics that threat actors use to initiate supply chain compromises — from spear phishing to pretexting to business email compromise.

The $4.88M Question: Can You Afford to Ignore This?

IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million. Supply chain breaches tend to be worse because they're harder to detect and the attacker often has persistent, trusted access.

The FBI's Internet Crime Complaint Center (IC3) continues to warn that sophisticated threat actors — nation-state groups and ransomware gangs alike — are prioritizing supply chain targets because the return on investment is exponential. One compromise. Thousands of victims.

A Quick-Reference Checklist for Supply Chain Risk

Inventory all third-party software and services — including open-source libraries and SaaS integrations.
Enforce MFA on every account, especially service accounts and admin panels.
Segment your network so a compromised vendor integration can't reach crown-jewel assets.
Monitor vendor update channels for unusual activity or unexpected releases.
Verify software integrity using checksums and signatures — but remember that signatures can be compromised (see SolarWinds).
Run tabletop exercises that include a supply chain compromise scenario.
Require SBOMs from software vendors before onboarding.
Review and prune vendor access quarterly.

These Supply Chain Attack Examples Are Just the Beginning

The examples in this post — SolarWinds, Kaseya, 3CX, NotPetya, Codecov — represent the attacks we know about. Many supply chain compromises go undetected or unreported. The XZ Utils backdoor discovered in 2024 was planted over two years by a contributor who patiently gained trust in an open-source project. That's the level of patience and sophistication we're dealing with.

Your defense has to match that sophistication. Zero trust architecture, rigorous vendor management, behavioral monitoring, software supply chain transparency, and continuous security awareness training aren't optional anymore. They're the baseline.

Start building that baseline today. Evaluate your vendor relationships, audit your software dependencies, and get your team trained on the social engineering tactics that kick off most of these attacks. The next major supply chain attack isn't a question of if — it's a question of when, and whether you'll be ready.