Hackers are demanding a $50m payment from Apple after getting hold of plans for some of its upcoming products in a ransomware attack. The Sodin group obtained the schematics by targeting one of Apple’s suppliers, Quanta Computers, in what is known as an island hopping supply chain breach. Such attacks on secondary targets are becoming more common as threat actors increasingly look further down tech supply chains to find security weaknesses.
Sodin, which deploys the REvil ransomware, says it stole the plans for laptops and a new Apple Watch from Quanta, a Taiwanese company that assembles Apple’s computers. It says it will release the confidential documents unless the ransom is paid by 1 May. The same group also targeted another manufacturer, Acer, earlier this year, also demanding a $50m payment.
What is an island hopping ransomware attack?
The Apple breach is a high-profile example of an island hopping attack. These have grown in popularity in 2021, with 38% of financial services companies surveyed in a report released by VMWare stating they have witnessed an increase in island hopping attempts so far this year. A study from Identity Theft Resources says there were 42% more supply chain attacks in the first quarter of this year than in Q1 2020.
These sort of attacks occur when threat groups infiltrate an organisation in the main target’s network. “Every company is a potential site to target,” explains Bharat Mistry, technical director for the UK and Ireland at cybersecurity company Trend Micro. “Even though you might not be the target, you’re quite often being used in what we call island hopping, exactly as you might do in the Greek islands. You get from A to B to C to get to your final destination.”
Such attacks can have devastating consequences. Last year Russian hackers infiltrated SolarWinds Orion network management software, which is used by thousands of businesses, and used it to target customers. US Government agencies, such as the departments of homeland security and commerce were among those affected, as well as myriad private companies.
The technique is increasing in popularity because, while organisations spend a lot of time reinforcing their own security, they can be less assiduous when it comes to partner companies. “A third-party channel or your supply chain is often unfettered access because you don’t want to hinder the level of cooperation that you have so you give them very open access to an area,” Mistry says. “Let’s say I’m Apple, but somebody else makes the boxes for me and then other people supply the cardboard. We’ve got three people in that supply chain already,” he explains. “So [a threat group] will target someone at one of the other organisations and pivot through.”
David Emm, principal security researcher at cybersecurity company Kaspersky, compares these attacks to “poisoning a river upstream”. He says that “anything downstream of that could be impacted by it. Anybody who is supplying software or a service to multiple customers is potentially on the receiving end of something like this.”
Can you prevent island hopping attacks?
While the security set-up of a third party will always present a level of risk, Emm says it is important for businesses to do their homework on the companies in their supply chains. “Looking at what the potential risks are from your supply chain is really important because otherwise, companies can end up on the receiving end of an [island hopping attack] where part of their supply chain becomes a route into their own organisation,” he adds
Mistry agrees that careful vetting is the only way to minimise the risk of island hopping. “Realistically, if you’re in a high-profile industry where it’s competitive or espionage is key, I would put the time and effort into vetting my supply chain,” he says.