PHUKET, Thailand

State-sponsored cyber threat groups are increasingly using subcontractor firms with security vulnerabilities to reach major targets that they cannot access directly, prompting a greater emphasis on global cooperation and layered defense strategies against such threats.

Supply chain attacks aim to infiltrate large targets indirectly by compromising third parties such as software developers, hardware suppliers, or service providers. In recent years, malicious code embedded into software updates or remote access tools has exposed thousands of organizations and leaked the personal data of millions.

First brought to global attention by the SolarWinds breach in 2020, this attack method allows threat actors to access multiple targets from a single entry point.

Dmitry Galov, the head of Kaspersky’s Global Research and Analysis Team, told Anadolu that tactics employed by Advanced Persistent Threat actors -- often state-backed groups -- have become significantly more sophisticated over the past year.

Referring to the XZ vulnerability that recently affected thousands of Linux servers, Galov said attackers spent years manipulating developers behind the open-source XZ Utils software. The result was a covert backdoor capable of bypassing SSH authentication, giving threat actors remote access to systems.

“Every supply chain attack is so different and so tailored to the specific victim that is interesting for the potential attacker, that we cannot foresee how they will act next time,” Galov said.

“They actually spent several years on social engineering, pushing the developers and maintainers of an open-source library that was interesting to them, just before they could even move to the technical part of backdooring something.”

To counter such threats, Galov said Kaspersky uses behavioral analysis and AI-based detection technologies that can identify and block malicious payloads -- even when delivered through seemingly trusted software.

Galov emphasized that supply chain attacks often begin with smaller subcontractors. “Attackers know that major companies have strong cybersecurity defenses,” he said.

“Instead of going directly, they play a two-step game. First, they compromise a subcontractor -- whose defenses are typically weaker -- and then pivot to the real target.”

“Because they are smaller and don’t invest much in protection, making them easier to expose. Also, these subcontractors have privileges -- either internal access to the main victim’s systems or networks, or they provide updates for software used in the organization.”

To mitigate these risks, Galov advised that large companies evaluate the cybersecurity posture of their vendors, including through penetration testing, and implement strict auditing of all incoming software.

“You can’t just install software blindly. You must verify its security,” he said. “You also need to track who gets access to what and why.”

Weak cybersecurity shields in Africa attract advanced threat actors

Kaspersky has developed a scanner for open-source libraries to help identify malicious code in widely used development packages.

“We analyze every update from major repositories,” Galov said, “and provide a feed to our clients so they can verify the safety of their software stacks.”

Galov described the ongoing struggle between defenders and attackers as “a race.”

“Cybercriminals are quick to adopt new technologies,” he said. “AI, machine learning, and large language models are tools used by both sides. We have to stay one step ahead.”

He noted regional disparities in cybersecurity maturity.

“In the Middle East, awareness and preparedness are generally good. But in parts of Africa, where digitalization is still emerging, experienced attackers can cause significant harm,” he said.

“That’s why global cooperation and threat intelligence sharing are so important,” Galov emphasized. “We analyze and publish detailed reports on every campaign and technique used by cybercriminals, so others can be prepared.”

He concluded with a warning: “There is no single technology that can solve supply chain threats. It requires layered defense and cooperation. Governments, cybersecurity companies, and users must act together.”