The Attack That Hit 18,000 Organizations at Once
In December 2020, security firm FireEye disclosed that it had been breached — and that the attack vector traced back to a routine software update from SolarWinds, a trusted IT management vendor. Within days, the scope became staggering: up to 18,000 organizations, including U.S. federal agencies, had installed a trojanized update to SolarWinds Orion. It remains one of the most devastating supply chain attack examples in history.
I've spent the better part of this year working with organizations that are still untangling the implications. The SolarWinds incident didn't just expose a vulnerability in one product. It exposed a fundamental flaw in how we trust software vendors, update mechanisms, and the entire digital supply chain.
This post walks through the most significant supply chain attack examples from recent years, breaks down how each one worked, and gives you specific steps to harden your organization against the same tactics. If you manage IT infrastructure, lead a security team, or simply want to understand why these attacks keep succeeding, this is for you.
What Exactly Is a Supply Chain Attack?
A supply chain attack occurs when a threat actor compromises a trusted third-party vendor, supplier, or software provider to gain access to that vendor's customers. Instead of attacking your organization directly, the attacker poisons something you already trust — a software update, an open-source library, a managed service provider.
The reason these attacks are so effective is simple: they bypass your perimeter defenses entirely. Your firewall doesn't block a signed update from a vendor you've whitelisted. Your endpoint detection doesn't flag a legitimate tool that's been subtly modified. The trust relationship is the attack surface.
SolarWinds Orion: The Blueprint for Modern Supply Chain Attacks
The SolarWinds attack, attributed to a Russian state-sponsored threat actor known as APT29 (Cozy Bear), inserted malicious code into the build process for SolarWinds Orion. The compromised updates were digitally signed and distributed through SolarWinds' official channels between March and June 2020.
Once installed, the malware — dubbed SUNBURST — created a backdoor that communicated with attacker-controlled servers. The attackers were patient. They used the backdoor selectively, escalating access only in high-value targets like the U.S. Treasury Department, the Department of Homeland Security, and Microsoft.
Why SolarWinds Was a Wake-Up Call
The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-01, ordering federal agencies to disconnect SolarWinds Orion products immediately. It was an unprecedented move. The attack demonstrated that even organizations with mature security programs were vulnerable because they inherently trusted their software vendors.
I've seen organizations that passed every compliance audit still get caught by this. Compliance doesn't protect you when the attack comes through a signed update from a vendor on your approved list.
Kaseya VSA: Ransomware at Scale Through a Single Vendor
On July 2, 2021, the REvil ransomware gang exploited vulnerabilities in Kaseya's VSA remote management software. Kaseya is used primarily by managed service providers (MSPs) — companies that handle IT for small and mid-sized businesses. By compromising Kaseya, the attackers gained access to the MSPs' customers downstream.
The result: an estimated 800 to 1,500 businesses were hit with ransomware simultaneously. REvil demanded $70 million for a universal decryptor. Grocery chain Coop Sweden had to close roughly 800 stores because their point-of-sale systems were locked.
The MSP Multiplier Effect
This is what makes supply chain attack examples involving MSPs so dangerous. One compromised tool at the MSP level cascades to every client that MSP serves. Your organization might have excellent internal security, but if your MSP's remote management tool is compromised, the attacker is already inside your network with administrative privileges.
The FBI and CISA issued a joint advisory on the Kaseya attack, urging MSPs and their customers to take immediate action. If your organization relies on an MSP, you need to understand exactly what tools they use, how those tools are secured, and what your contractual rights are when an incident occurs.
NotPetya: The $10 Billion Supply Chain Catastrophe
Before SolarWinds, there was NotPetya. In June 2017, a threat actor compromised the update mechanism of M.E.Doc, a Ukrainian tax accounting software used by virtually every company doing business in Ukraine. The malicious update delivered a wiper disguised as ransomware.
NotPetya spread globally within hours. Shipping giant Maersk lost access to nearly all of its 49,000 endpoints and estimated damages at $300 million. Pharmaceutical company Merck reported $870 million in losses. FedEx's TNT Express unit took a $400 million hit. Total global damages exceeded $10 billion, according to the White House.
NotPetya's Lasting Lesson
NotPetya proved that a supply chain attack targeting a single piece of regional software could cause global economic damage. It also demonstrated that wipers disguised as ransomware can be used as weapons of war — the attack was later attributed to Russia's GRU military intelligence agency.
If you think your organization isn't a target because you're "too small" or "not in a sensitive industry," NotPetya should change your mind. Maersk wasn't the target. Neither was Merck. They were collateral damage from an attack aimed at Ukraine.
Codecov: When Your CI/CD Pipeline Becomes the Weapon
In January 2021, attackers modified the Bash Uploader script used by Codecov, a popular code coverage tool. The compromised script exfiltrated environment variables — including credentials, API tokens, and keys — from customers' continuous integration (CI/CD) environments. The breach went undetected for over two months.
Codecov is used by tens of thousands of organizations. Any secrets stored in CI/CD pipelines — database credentials, cloud API keys, signing certificates — were potentially exposed. This is credential theft at industrial scale, and it happened through a tool that most security teams barely monitored.
The Developer Toolchain Blind Spot
In my experience, developer tools are one of the most overlooked attack surfaces in most organizations. Security teams focus on endpoints, email, and network perimeter. Meanwhile, the CI/CD pipeline has access to production credentials and deploys code directly to live systems. A compromised build tool is essentially a skeleton key.
This is why cybersecurity awareness training for your entire organization — including developers — matters. Security isn't just an IT problem. Every team that touches code, infrastructure, or vendor tools needs to understand supply chain risks.
ASUS Live Update: 1 Million Laptops, One Poisoned Update
In 2019, researchers at Kaspersky discovered that ASUS's Live Update utility had been compromised. The attackers pushed a malicious update through ASUS's official servers, signed with legitimate ASUS certificates. An estimated one million ASUS laptops received the update.
The operation, dubbed ShadowHammer, was surgically targeted. Despite infecting a million machines, the malware only activated on approximately 600 specific devices, identified by their MAC addresses. This level of precision suggests a state-sponsored operation focused on specific individuals.
Event-Stream: The Open-Source Dependency Trap
In November 2018, a popular npm package called event-stream was found to contain malicious code targeting a specific Bitcoin wallet application called Copay. The attacker had gained maintainer access to the open-source package by volunteering to help the original developer, who had lost interest in maintaining it.
This is a supply chain attack example that highlights a systemic problem: open-source software forms the foundation of modern applications, but many critical packages are maintained by a single volunteer. The attacker exploited social trust, not a technical vulnerability.
Your Code Isn't Just Your Code
The average modern application has hundreds or thousands of dependencies. Each one is a link in your supply chain. If any single dependency is compromised, your application — and your customers — are at risk. The Verizon 2021 Data Breach Investigations Report noted that web application attacks remain one of the top patterns in data breaches, and compromised dependencies are an increasingly common vector. You can review the full report at Verizon's DBIR page.
How to Defend Against Supply Chain Attacks
Understanding supply chain attack examples is step one. Defending against them requires concrete changes to how your organization evaluates trust, monitors systems, and trains people.
Adopt a Zero Trust Architecture
Zero trust means you verify every access request regardless of where it comes from — even if it originates from a trusted vendor's software. Implement multi-factor authentication across all systems. Segment your network so that a compromised vendor tool can't move laterally to your most sensitive assets. NIST's Zero Trust Architecture publication (SP 800-207) provides a solid framework.
Audit Your Vendor and Dependency Inventory
You cannot defend what you don't know about. Build and maintain a complete inventory of every third-party tool, software package, and open-source dependency in your environment. For each one, ask: Who maintains it? How are updates delivered and verified? What access does it have to our systems?
Monitor for Anomalous Behavior Post-Update
SolarWinds SUNBURST communicated with external command-and-control servers. Codecov's script exfiltrated environment variables. In both cases, network monitoring could have detected unusual outbound traffic. Deploy behavioral monitoring that flags unexpected network connections, especially after software updates.
Invest in Security Awareness Across Every Team
Supply chain attacks exploit trust — trust in vendors, trust in updates, trust in colleagues who recommend tools. Your employees are part of the defense. Phishing remains the most common initial access vector for threat actors looking to compromise vendor environments. Training your team to recognize social engineering and phishing attempts reduces the chance that your organization becomes the weak link in someone else's supply chain.
If you're looking for a structured program, our phishing awareness training for organizations provides phishing simulation exercises that build real muscle memory for spotting credential theft attempts and social engineering tactics.
Require Software Bills of Materials (SBOMs)
An SBOM is a detailed list of all components in a piece of software — including open-source libraries. The May 2021 Executive Order on Improving the Nation's Cybersecurity directed federal agencies to require SBOMs from vendors. Even if you're not a federal agency, demanding SBOMs from your software vendors gives you visibility into what's actually running in your environment.
Verify Code Integrity Beyond Signatures
The SolarWinds and ASUS attacks both used legitimately signed code. Digital signatures alone are insufficient. Implement additional integrity checks: hash verification against known-good builds, reproducible build processes, and independent verification of update contents before deployment.
The Pattern You Can't Ignore
Every one of these supply chain attack examples shares a common thread: the attackers turned trust into a weapon. They didn't break down the front door. They walked in through a door your organization opened willingly — a software update, a vendor tool, an open-source library.
The frequency and sophistication of these attacks have accelerated dramatically. SolarWinds. Codecov. Kaseya. These aren't isolated incidents. They're a pattern. The European Union Agency for Cybersecurity (ENISA) predicted in 2021 that supply chain attacks would quadruple compared to 2020.
Your organization's security is only as strong as the weakest link in your supply chain. Start by knowing what that chain looks like. Audit your vendors. Monitor your updates. Train your people. And stop assuming that "trusted" means "safe."