View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
April 26, 2021updated 26 Apr 2022 5:13pm

Apple’s Quanta breach is part of a surge in ‘island hopping’ cyberattacks

Hacking groups are increasingly turning to tech supply chains as a way to breach the world's biggest companies.

By Claudia Glover

Hackers are demanding a $50m payment from Apple after getting hold of plans for some of its upcoming products in a ransomware attack. The Sodin group obtained the schematics by targeting one of Apple’s suppliers, Quanta Computers, in what is known as an island hopping supply chain breach. Such attacks on secondary targets are becoming more common as threat actors increasingly look further down tech supply chains to find security weaknesses.

Sodin, which deploys the REvil ransomware, says it stole the plans for laptops and a new Apple Watch from Quanta, a Taiwanese company that assembles Apple’s computers. It says it will release the confidential documents unless the ransom is paid by 1 May. The same group also targeted another manufacturer, Acer, earlier this year, also demanding a $50m payment.

What is an island hopping ransomware attack?

The Apple breach is a high-profile example of an island hopping attack. These have grown in popularity in 2021, with 38% of financial services companies surveyed in a report released by VMWare stating they have witnessed an increase in island hopping attempts so far this year. A study from Identity Theft Resources says there were 42% more supply chain attacks in the first quarter of this year than in Q1 2020.

Island hopping attacks

Island hopping attacks, where attackers infiltrate a company in a target’s network, are surging in popularity in 2021. (Photo by Ibrahim Egan on Unsplash)

These sort of attacks occur when threat groups infiltrate an organisation in the main target’s network. “Every company is a potential site to target,” explains Bharat Mistry, technical director for the UK and Ireland at cybersecurity company Trend Micro. “Even though you might not be the target, you’re quite often being used in what we call island hopping, exactly as you might do in the Greek islands. You get from A to B to C to get to your final destination.”

Such attacks can have devastating consequences. Last year Russian hackers infiltrated SolarWinds Orion network management software, which is used by thousands of businesses, and used it to target customers. US Government agencies, such as the departments of homeland security and commerce were among those affected, as well as myriad private companies.

The technique is increasing in popularity because, while organisations spend a lot of time reinforcing their own security, they can be less assiduous when it comes to partner companies. “A third-party channel or your supply chain is often unfettered access because you don’t want to hinder the level of cooperation that you have so you give them very open access to an area,” Mistry says. “Let’s say I’m Apple, but somebody else makes the boxes for me and then other people supply the cardboard. We’ve got three people in that supply chain already,” he explains. “So [a threat group] will target someone at one of the other organisations and pivot through.”

David Emm, principal security researcher at cybersecurity company Kaspersky, compares these attacks to “poisoning a river upstream”. He says that “anything downstream of that could be impacted by it. Anybody who is supplying software or a service to multiple customers is potentially on the receiving end of something like this.”

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

Can you prevent island hopping attacks?

While the security set-up of a third party will always present a level of risk, Emm says it is important for businesses to do their homework on the companies in their supply chains. “Looking at what the potential risks are from your supply chain is really important because otherwise, companies can end up on the receiving end of an [island hopping attack] where part of their supply chain becomes a route into their own organisation,” he adds

Mistry agrees that careful vetting is the only way to minimise the risk of island hopping. “Realistically, if you’re in a high-profile industry where it’s competitive or espionage is key, I would put the time and effort into vetting my supply chain,” he says.

Topics in this article : ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU