This report aims at mapping and studying the supply chain attacks that were discovered from January 2020 to early July 2021. Based on the trends and patterns observed, supply chain attacks increased in number and sophistication in the year 2020 and this trend is continuing in 2021, posing an increasing risk for organizations. With half of the attacks being attributed to Advanced Persistence Threat (APT) actors, their complexity and resources greatly exceed the more common non-targeted attacks, and, therefore, there is an increasing need for new protective methods that incorporate suppliers in order to guarantee that organizations remain secure.
This report presents the Agency’s Threat Landscape concerning supply chain attacks, produced with the support of the Ad-Hoc Working Group on Cyber Threat Landscapes.

The main highlights of the report include the following:

• A taxonomy to classify supply chain attacks in order to better analyse them in a systematic manner and understand the way they manifest is described.
• 24 supply chain attacks were reported from January 2020 to early July 2021, and have been studied in this report.
• Around 50% of the attacks were attributed to well-known APT groups by the security community.
• Around 42% of the analysed attacks have not yet been attributed to a particular group.
• Around 62% of the attacks on customers took advantage of their trust in their supplier.
• In 62% of the cases, malware was the attack technique employed.
• When considering targeted assets, in 66% of the incidents attackers focused on the suppliers’ code in order to further compromise targeted customers.
• Around 58% of the supply chain attacks aimed at gaining access to data (predominantly customer data, including personal data and intellectual property) and around 16% at gaining access to people.
• Not all attacks should be denoted as supply chain attacks, but due to their nature many of them are potential vectors for new supply chain attacks in the future.
• Organizations need to update their cybersecurity methodology with supply chain attacks in mind and to incorporate all their suppliers in their protection and security verification.

The general status of the cybersecurity threat landscape that identifies prime threats, major trends observed with respect to threats, threat actors and attack techniques, and also describes relevant mitigation measures is provided by the ENISA annual report.