Hacker groups are increasingly targeting the supply chains of large corporations in an attempt to find "weak links" in cybersecurity systems. According to the Financial Times, these attacks are part of the active development of the illegal ransomware sector, the volume of which already reaches billions of US dollars.
According to cybersecurity experts, the number of attacks on third-party vendors around the world doubled in 2024. The number is likely to be even higher in 2025.
The reports come just months after the attack on British retailer Marks and Spencer, which was caused by a security breach at one of its suppliers that had access to the company's data. Last year, NHS England suffered a similar cyber threat when its pathology partner Synnovis was hacked.
These attacks have seen hacker groups block the online activities of victim companies if they refuse to pay large ransoms. Tim Eridge, vice president of Unit 42 for Europe, the Middle East and Africa, notes that cybercriminals are finding “weak spots” in vendors’ security systems to target large corporate organizations.
"If you 'hack' a vendor that has access to many of the leading organizations that use its services or are affiliated with it, you will get a multiple return on investment," says Eridge.
In 2024, there were 7,965 cyberattacks, of which about 30% were caused by third-party vulnerabilities—double the number in 2023, when such incidents accounted for only 14.9% of the 7,268 attacks. Possible entry points include software vendors, support services, or providers of other technology solutions, such as AI.
Experts note that hacker groups from North Korea benefit the most from such activities, which have increased both the number and complexity of attacks.
The higher number of attacks has forced governments around the world to take cybersecurity seriously. The EU has adopted the NIS2 directive, which has tightened restrictions on supply chains, and the UK has passed a cybersecurity bill that will be introduced in parliament at the end of September.
The US government has a softer stance, but has nevertheless taken steps to ensure that third-party providers of federal government cybersecurity are strengthened.