In December 2020, cybersecurity firm FireEye disclosed that a threat actor had compromised SolarWinds' Orion software update mechanism, distributing malware to roughly 18,000 organizations — including the U.S. Treasury, the Department of Homeland Security, and Fortune 500 companies. The attackers didn't break down the front door. They walked in through a trusted vendor's side entrance. That single incident rewrote the playbook on how we think about third-party risk, and it's just one of the supply chain attack examples that should be keeping your security team up at night in 2025.
This post breaks down the most consequential supply chain attacks of the past several years, explains the specific techniques threat actors used, and gives you concrete steps to reduce your own exposure. If you're responsible for security at any organization that depends on external software, services, or vendors — which is every organization — this is essential reading.
What Exactly Is a Supply Chain Attack?
A supply chain attack targets the less-secure elements in a trusted relationship. Instead of attacking your organization directly, a threat actor compromises a vendor, software provider, or service you already trust. When you install that vendor's update or grant that service access to your network, the attacker is already inside.
Think of it this way: you've invested in strong locks, cameras, and alarm systems. But the cleaning crew has a master key, and nobody checked their background. That's the supply chain vulnerability.
These attacks are devastating because they exploit implicit trust. Your endpoint detection won't flag a digitally signed update from a vendor you've whitelisted. Your employees won't question a login prompt from a tool they use every day. The entire attack surface shifts from your perimeter to your partners'.
The SolarWinds Orion Breach: The Attack That Changed Everything
The SolarWinds compromise remains the most referenced of all supply chain attack examples, and for good reason. The Russian-linked threat actor known as Nobelium (also tracked as APT29 or Cozy Bear) injected malicious code into SolarWinds' Orion IT monitoring platform build process as early as October 2019.
The malware, dubbed SUNBURST, was distributed through legitimate SolarWinds software updates between March and June 2020. Because Orion had deep network visibility by design — it monitored servers, firewalls, and network devices — the compromised update gave attackers a god's-eye view of victim networks.
Why This Attack Was So Effective
- Trusted delivery mechanism: The malicious code was embedded in a digitally signed software update. Security tools treated it as legitimate.
- Delayed activation: SUNBURST lay dormant for up to two weeks before contacting command-and-control servers, evading sandbox analysis.
- Precision targeting: Of the ~18,000 organizations that installed the compromised update, the attackers only moved laterally in a small subset — roughly 100 organizations — reducing their noise signature.
- Credential theft at scale: Once inside, attackers stole SAML signing certificates to forge authentication tokens, giving them persistent access even after the initial malware was removed.
CISA issued Emergency Directive 21-01 ordering federal agencies to disconnect SolarWinds Orion products immediately. The incident led to a fundamental shift in how the U.S. government approaches software supply chain security.
Kaseya VSA: Ransomware Through the Managed Service Provider
On July 2, 2021, the REvil ransomware gang exploited zero-day vulnerabilities in Kaseya's VSA remote monitoring software. Kaseya VSA is used by managed service providers (MSPs) to administer IT infrastructure for their clients. By compromising a single tool, the attackers hit an estimated 1,500 businesses downstream.
This one is particularly instructive because it shows how supply chain attacks can cascade. The threat actors didn't just compromise Kaseya's customers — they compromised Kaseya's customers' customers. A Swedish grocery chain, Coop, had to close 800 stores because their point-of-sale systems were locked by ransomware delivered through their MSP's Kaseya instance.
The MSP Multiplier Effect
If your organization uses a managed service provider, you've essentially delegated a portion of your security trust to them. And their tools become your attack surface. I've seen organizations with excellent internal security postures get blindsided because they never audited how their MSP managed remote access.
This is where cybersecurity awareness training for your entire team becomes non-negotiable. Your people need to understand that a trusted tool can become the weapon. When a legitimate remote management agent starts behaving unusually, someone needs to notice — and know what to do.
The MOVEit Transfer Exploitation: 2023's Biggest Data Breach Wave
In May 2023, the Cl0p ransomware group exploited a critical SQL injection vulnerability (CVE-2023-34362) in Progress Software's MOVEit Transfer, a managed file transfer application used by thousands of organizations worldwide. The group had apparently discovered the vulnerability months earlier and waited to exploit it at scale.
The damage was staggering. By some estimates, over 2,600 organizations and 77 million individuals were affected. Victims included the BBC, British Airways, the U.S. Department of Energy, Shell, and multiple state government agencies. Cl0p didn't deploy ransomware in the traditional sense — they exfiltrated data and threatened to publish it unless victims paid.
What Made MOVEit Different
MOVEit wasn't a household name, and that's part of the problem. Many organizations didn't even realize they were exposed because MOVEit was embedded in their workflows by a third party. Your HR department's benefits provider might use MOVEit. Your payroll processor might use it. You'd never know until the breach notification arrived.
This attack highlighted a brutal truth: your supply chain risk extends far beyond the vendors you directly manage. It includes your vendors' vendors and every piece of software they run.
3CX: When Your Desktop Phone App Becomes a Trojan
In March 2023, security researchers discovered that the 3CX desktop application — a VoIP client used by over 600,000 organizations worldwide — had been trojanized through a supply chain compromise. The North Korean-linked threat actor Lazarus Group had compromised 3CX's build environment, inserting malware into the legitimate, signed application.
Here's the chilling detail: the 3CX compromise was itself caused by a supply chain attack. A 3CX employee had installed a trojanized version of X_Trader, a trading software platform from Trading Technologies. That compromise gave the attackers access to 3CX's build systems. It was a supply chain attack that caused a supply chain attack — a nesting doll of compromised trust.
This incident demonstrates that supply chain attack examples aren't just academic case studies. They're recursive, compounding threats that can chain together in ways that are almost impossible to predict.
Codecov: The CI/CD Pipeline as Attack Vector
In January 2021 (disclosed in April), attackers modified Codecov's Bash Uploader script, a tool used by developers to submit code coverage reports. The altered script exfiltrated environment variables — including CI/CD credentials, API tokens, and keys — from every customer that ran it during the compromise window.
Codecov was used by approximately 29,000 organizations. The attackers potentially had access to secrets from thousands of private code repositories. Because the compromised script ran inside CI/CD pipelines, it had access to some of the most sensitive credentials in any development organization.
Developer Tools Are High-Value Targets
If you're not treating your software development pipeline as critical infrastructure, you're behind. Threat actors know that compromising a build system or developer tool gives them access to everything downstream — your source code, your deployment credentials, and ultimately your customers.
This is where security awareness extends beyond your end users. Your developers need phishing awareness training designed for organizational teams, because social engineering targeting developers — fake GitHub notifications, spoofed npm packages, credential theft through lookalike domains — is a primary vector for these compromises.
NotPetya: The Supply Chain Attack That Caused $10 Billion in Damage
In June 2017, Russian military intelligence (GRU) compromised M.E.Doc, a Ukrainian tax accounting software used by nearly every business operating in Ukraine. They pushed a malicious update that deployed the NotPetya wiper malware — disguised as ransomware, but designed purely to destroy.
NotPetya spread globally within hours. Maersk, the world's largest shipping company, lost almost all of its 49,000 laptops, 3,500 servers, and its entire Active Directory infrastructure. FedEx subsidiary TNT Express suffered $400 million in losses. Merck reported $870 million. Total estimated damages exceeded $10 billion, making NotPetya the most destructive cyberattack in history at that time.
The NIST Cybersecurity Framework was updated partly in response to attacks like NotPetya, emphasizing supply chain risk management as a core function.
How to Defend Against Supply Chain Attacks in 2025
You can't eliminate supply chain risk entirely. But you can dramatically reduce your exposure. Here's what I recommend based on what these incidents teach us.
Adopt a Zero Trust Architecture
Zero trust means no implicit trust — not for users, not for devices, and not for software vendors. Every access request gets verified. Multi-factor authentication should be enforced everywhere, not just at the front door. Segment your network so that a compromised vendor tool can't traverse your entire infrastructure.
Maintain a Software Bill of Materials (SBOM)
You need to know exactly what software is running in your environment, who built it, and what dependencies it carries. The 2021 Executive Order on Improving the Nation's Cybersecurity pushed SBOMs into the mainstream, and by 2025, any organization not maintaining one is flying blind.
Vet Your Vendors Ruthlessly
Every third-party vendor with access to your systems should undergo security assessment. Ask about their build security practices, their incident response plans, and whether they've had a security audit in the past 12 months. If they can't answer clearly, that tells you everything.
Monitor for Anomalous Behavior From Trusted Tools
The common thread in every supply chain attack example above: the malicious activity came from a trusted source. Your detection strategy needs to account for this. Behavioral analytics, endpoint detection and response (EDR), and network traffic analysis should all flag unusual activity regardless of the source's reputation.
Train Your People — Including Developers
Social engineering remains the top initial access vector according to the Verizon Data Breach Investigations Report. Phishing simulation exercises, security awareness training, and a culture where employees feel empowered to question suspicious activity are not optional. They're your most cost-effective defense layer.
The Uncomfortable Truth About Supply Chain Security
Every one of these supply chain attack examples shares a common root cause: organizations trusted something they shouldn't have trusted without verification. A signed software update. A vendor's security posture. A third-party tool embedded so deeply in operations that nobody questioned it.
In 2025, threat actors are more sophisticated than ever. State-sponsored groups and ransomware gangs alike have learned that attacking the supply chain gives them maximum impact with minimum detection. The FBI IC3's reporting continues to show losses climbing year over year, with supply chain and third-party compromises playing an increasing role.
Your defense starts with visibility — knowing what's in your environment. It continues with verification — never trusting by default. And it depends on your people — the analysts, developers, and end users who need to recognize when something trusted starts behaving like a threat.
The next major supply chain attack isn't a question of if. It's a question of whether your organization will be ready when it hits.