Why hackers are focusing on your digital supply chain rather than solely on your systems.
Hackers are continually seeking new methods to infiltrate businesses, rarely doing so directly. For many organizations, cybersecurity efforts mainly focus on safeguarding internal systems and preventing unauthorized access through tools like firewalls, encryption, and employee training. This approach, however, operates under the assumption that attackers aim for direct access.
It is no longer enough to depend solely on internal cybersecurity measures to protect information. As digital supply chains grow more intricate with a higher number of suppliers, attackers are increasingly bypassing an organization’s internal controls altogether. They are exploiting vulnerabilities in the trusted supplier network that already has legitimate access to various systems and data.
A series of recent high-profile cyber incidents impacting major corporations has underscored the disruptive and costly nature of these attacks. So, how does this process occur, what implications does it hold for businesses, and what steps can be taken to mitigate risk?
How do attackers infiltrate the digital supply chain?
Rather than directly attacking organizations, hackers are increasingly targeting suppliers and service providers in the digital supply chain, such as website or software providers, development and testing platforms, or data storage solutions. These third-party entities frequently have access to systems, data, or networks, making them appealing targets and significant risk areas for organizations to oversee.
Supply chain attacks specifically target components necessary for an organization to deliver its products or services. For instance, such attacks may involve malicious software updates, compromised login credentials, vulnerable open-source components, or insecure integrations between systems.
Digital supply chain attacks are especially prevalent when software developers depend on commonly used third-party libraries to enhance application functionality. If an attacker successfully embeds malicious code in one of these libraries, any developer integrating it into their software may inadvertently introduce a security vulnerability into their product.
In 2024, a malicious backdoor was inserted into XZ Utils, a widely utilized open-source compression tool found in numerous Linux systems. The attack exploited the supply chain rather than directly hacking into systems. When the issue was identified, the affected versions had not yet been extensively deployed in production environments but were present in development builds of major distributions, prompting maintainers to rebuild their packages to rectify the vulnerability. Computer scientist Alex Stamos remarked that had the backdoor gone undetected, it would have granted its creators a "master key" to hundreds of millions of computers worldwide running SSH.
Once a supplier’s products, services, or technology have been compromised, attackers can access and further infiltrate the organization’s systems. These attacks often go unnoticed until systems are disrupted, data is encrypted or stolen, or ransom demands are made. In the case of the XZ Utils backdoor, the malicious code was detected only because a developer noticed unusual performance during routine testing.
More often than not, by the time an attack is identified, the damage has usually already been inflicted, leading to significant business repercussions.
The business impact
The immediate consequence of a cyberattack is typically financial. Ransom demands can be considerable, particularly when attackers recognize that the disruption affects multiple customers or critical services. Even when no ransom is paid, businesses frequently face high related costs for business interruption, system recovery, and professional consultation, all of which compound the financial repercussions of a cyberattack.
For digital-first and platform-dependent companies, downtime quickly means lost revenue, amplifying the financial consequences. In one recent case, a large consumer-facing entity (Co-op) reported that the cyberattack it experienced in 2025 "impacted both financial and operational areas," resulting in at least £206 million in lost revenue.
The operational consequences can be equally severe. If a key supplier goes offline or restricts access to their services to contain the attack, business operations can ground to a halt. Organizations may struggle to process transactions, fulfill orders, or access critical systems, forcing them to revert to manual workarounds. Following a 2025 cyber-attack, a well-known and respected company (Marks & Spencer) had to halt online orders for nearly two months and shifted to manual processing during that period. The attack did not target M&S's core infrastructure but instead exploited weaknesses in MoveIt, a common enterprise file transfer tool. Consequently, sensitive information concerning both employees and customers was compromised, including contact information, payroll data, and in some instances, National Insurance numbers. While payment details were not thought to have been affected, the scale and nature of the breach initiated a formal incident response, internal audits, and regulatory involvement from the Information Commissioner’s Office (ICO). The estimated financial impact was £300 million in lost profits.
However, the most significant and enduring consequence is often reputational. Customers typically do not distinguish between a company and its suppliers when issues arise. From the customer's viewpoint, the failure is perceived as a single service breakdown, regardless of where accountability ultimately lies. Trust built over years can vanish overnight, especially if communication is slow, defensive, or ambiguous. Reinstating that trust is both time-consuming and costly, often necessitating sustained investment in customer engagement, service enhancements, and assurances about future resilience
Other articles
Why hackers are focusing on your digital supply chain rather than solely on your systems.
Cyberattacks on supply chains are evading internal protections by taking advantage of trusted third-party suppliers. Recent cases, such as the XZ Utils backdoor and the Marks and Spencer MoveIt breach, demonstrate how attackers exploit the supplier network to indirectly infiltrate organizations.
