Cyber attackers are increasingly breaking into organisations not through the front door, but through their more vulnerable suppliers and many of these are not being widely reported. According to Unit 42, the threat intelligence and incident response team at Palo Alto Networks, more than one in four (28 percent) incidents it investigated in Europe over the past year stemmed from breaches of third-parties.
Despite these numbers already being high, Unit 42 advises that due to widespread underreporting of supply chain security breaches, organisations are facing a far greater risk than what they realise.
Tim Erridge, VP of EMEA, Unit 42 at Palo Alto Networks, says: “Incident response investigations primarily focus on securing the victim organisation and getting it back online quickly, rather than spending time tracing where the compromise originated from. This means many supply chain attacks are not reported as such and therefore companies are often blind to the level of danger sitting in their vendor ecosystem. We believe the current numbers related to supply chain attacks, although high and rising, are just the tip of the iceberg.”
Examples of supply chain attacks observed by Unit 42:
- Defacement at scale: Hackers hijacked a content provider to push propaganda across city-wide commercial screens during a global sporting event.
- Pharmaceutical company surveillance: Breach of CCTV infrastructure allowed remote spying across sensitive R&D facilities.
- Diplomatic targeting: A Trojan attack hidden in a digital car-sale flyer was used to infiltrate embassy staff in Ukraine.
- Muddled Libra (Scattered Spider): The hacking group is increasingly using the supply chain as the first step in gaining access to their victims’ networks. This was seen in a breach investigated by Unit 42 that involved a business process outsourcing company facing five attacks within a week, demonstrating the group’s ability to adapt and find new pathways into the network via the supply chain.
Why supply chain attacks are rising:
- Extended digital ecosystems: Enterprises are part of growing digital ecosystems often involving hundreds, or even thousands, of suppliers, multiplying attack surfaces.
- Weakest link principle: Attackers exploit smaller vendors with weaker defenses in order to breach the trust that large enterprises place when doing business with them.
- Economic asymmetry: Breaching suppliers is not only easier and quicker vs targeting a large organisation directly, so it offers an attractive risk-reward balance. A successful breach costs significantly less than building an effective defence, so the advantage is always with attackers.
- AI acceleration: Ransomware-as-a-service, access brokers and AI-powered reconnaissance, exploitation and social engineering, make supply chain targeting easier and cheaper than ever. Unit 42 believes that a “perfect storm” is brewing due to the use of AI, increased connectivity and over-reliance on vulnerable external entities.
The anatomy of a supply chain attack:
First, attackers use AI-driven tools to scan the internet for vulnerabilities. Once they find one, a list is created of targets that are both susceptible and highly connected to companies that hold large quantities of valuable data. After being breached, the targets are extorted by the attackers, which often involves threats to leak or sell sensitive data or to report the incident to regulators, which could trigger fines and cause reputational damage.
Who is in the crosshairs?
- High tech and financial services: Most frequent supply chain targets observed by Unit 42 in 2025.
- Legal and professional services firms: Rich data, high connectivity to blue-chip clients, typically weaker defences.
- Luxury brands: Targeted via the supply chain to gain access to the data of high-net-worth individuals.
What are the different types of supply chain attack?
- Software poisoning supply chain attacks: These attacks target the software development lifecycle by tampering with code, libraries, or dependencies before the product reaches the end user. The goal is to distribute malware through trusted, legitimate channels.
- Hardware tampering supply chain attacks: These attacks involve tampering with hardware components during manufacturing or shipping. Malicious components can be implanted in devices, making them vulnerable to remote access or data theft.
- Business & operations supply chain attacks: These attacks exploit the relationships between an organization and its vendors, contractors, or partners. They target weak links in a company’s extended processes and workflow to insert malicious content into typically legitimate activities, weaponising human trust to defraud, disrupt and take data.
What can organisations do to protect themselves?
Unit 42 recommends that organisations take the following steps to reduce systemic risk, strengthen resilience and gain competitive advantages:
- Map every digital dependency: Build visibility of all suppliers and connections.
- Find the weak links: Identify and remediate vulnerabilities before adversaries do.
- Share security downstream: Extend safeguards, tools and training to smaller vendors and contractors who are most vulnerable.
These steps should be taken as part of a ‘cyber altruism’ strategy. Cyber altruism is the pragmatic idea that larger organisations extend enterprise-grade protections, tooling and know-how to smaller suppliers because ultimately everyone shares the same exposure. This approach provides risk reduction for the whole chain.