AI Autopsy: Microlise and Supply Chain Dominoes

The Microlise incident shows how an attack on one company can ripple through the supply chain. Kate O’Flaherty questions what it teaches us about supply chain security

In late October 2024, telematics provider Microlise was hit by an alleged ransom attack that impacted multiple companies reliant on its solution.

One of those was delivery giant DHL, whose tracking systems to stores were wiped out, preventing it from viewing the progress of deliveries. Meanwhile, another Microlise customer, Serco, was left without functioning tracking systems or panic alarms in the prison vans it operates for the Ministry of Justice due to the supply chain breach.

In a statement to the London Stock Exchange, Microlise confirmed criminals accessed limited employee information during the breach. However, the company stressed that no customer systems data was compromised.

The SafePay group has claimed responsibility, alleging it stole 1.2 terabytes of data

Although the nature of the attack has not been officially confirmed, the SafePay group – a new criminal outfit that uses LockBit-based ransomware and is known for double extortion tactics – has claimed responsibility, alleging it stole 1.2 terabytes of data.

Investigations are ongoing, and Microlise says it is working closely with third-party security experts to understand the full extent of the attack.

The Microlise incident is a prime example of how an attack on one company can ripple through the supply chain. So, what supply chain security lessons can be learnt from what is known so far?

You’re only as secure as your weakest partner

It doesn’t matter how robust you are if one of your partners has gaping holes in its own security posture. The Microlise incident is a stark reminder that you’re only as secure as the weakest link in your partner network, says Robert Cottrill, technology director at ANS. “In today’s interconnected business environment, companies often rely on multiple third-party vendors and suppliers. Each of these partners represents a potential vulnerability, so if one partner’s security measures are inadequate, it can create a gateway for attackers to infiltrate the entire network.”

It shows that it’s important to remember that you’re not immune to supply chain-related cyber threats, even if your own security is top-notch. Just look at DHL, which, despite having robust internal security measures, is now suffering the brunt of vulnerabilities in a third-party supplier’s systems. Cottrill states this has resulted in “a domino effect impacting its operations globally.”

Backups are a no-brainer

Availability is integral, and this is even more essential when you are part of a supply chain. By targeting critical supply chain partners, adversaries are leveraging the pressure clients will receive from their users to expedite payment, says Chris Henderson, senior director of threat operations at Huntress.

By segmenting access and isolating different parts of the network, businesses can help prevent attackers from moving laterally through interconnected systems

With this in mind, if someone in the supply chain goes down, back-ups are the answer to reducing the impact and getting you, quite literally, back up and running again.

“If your organisation is breached through a supply chain partner, it’s important to ensure your back-ups are good and control of recovery is within your own world,” says Henderson. “Supply chain attacks that solely impact the availability of critical partners offer very little recourse for users to self-remediate the impact.”

Prepare for the worst

With supply chain attacks happening more frequently, it’s essential to be prepared. With this in mind, business continuity programmes are more critical than ever, says Henderson. “While most organisations spend a good deal of effort and money on their technical disaster recovery programmes through strong back-ups and restoration testing, as much care needs to be placed on critical business processes and partnerships.”

A comprehensive business continuity plan is “essential”, agrees Mayuresh Dani, manager of security research at Qualys Threat Research Unit. “This ensures operations can continue smoothly – even when primary systems are compromised.”

If you do not already have a functional business continuity programme, start by inventorying your processes and evaluating them through a business impact analysis, says Henderson. “Through this analysis, identify critical technology dependencies, the impact not having the process would have on the organisation, and your best estimate of the likelihood that one of those impacts will come to fruition.”

Supply chain security requires proactive risk management

The Microlise incident highlights the need for organisations to manage cybersecurity risks across their entire supply chain, says Benn Morris, CEO at 3B Data Security.

A proactive approach to third-party risk management is essential, he says. “Even if an organisation has strong internal defences, vulnerabilities in a supplier’s network can disrupt operations and impact downstream customers.”

“Reactive measures are no longer sufficient in the face of increasingly sophisticated cyber attacks” Robert Cottrill

Morris says that key measures include conducting regular risk assessments to identify and address weaknesses in supplier networks. “Organisations should also require contractual commitments from suppliers, such as enforcing multi-factor authentication (MFA), encryption and incident response protocols. Continuous monitoring of suppliers is equally vital, as risks can evolve over time.”

Morris says supply chain segmentation is another strategy to limit the potential damage of a breach. Organisations should ensure suppliers only have access to the systems and data necessary for their operations, following the principles of “least privilege” and “business need to know.”

He says businesses can help prevent attackers from moving laterally through interconnected systems by segmenting access and isolating different parts of the network. This protects sensitive data and reduces the likelihood of a single breach or ransomware infection causing widespread disruption to the entire network.”

Examine procurement contracts

The Microlise breach highlights the importance of baking security into your contracts. The attack serves as “a call to action” for companies to reassess the proactive cybersecurity strategies and incident response plans of all partners within the network, says Cottrill. “Reactive measures are no longer sufficient in the face of increasingly sophisticated cyber attacks. Companies must adopt a proactive stance, which includes continuous monitoring for threats, regular vulnerability assessments, and timely updates to security protocols.”

The starting place for supply chain integrity for your company is to ask for and examine compliance documents under mutual non-disclosure agreements, says Ian Thornton-Trump, CISO for Inversion6 UK. “It may not tell the whole story about the partner’s security posture, but it can go a long way to help ensure a level of comfort for the potential purchase,” he says.

How deep you go on this investigation depends on how much risk you perceive from a disruption, he says. However, he advises that disruption is not always cyber-related. “There are plenty of external scanning tools to determine the attack surface and services that can help determine the potential external risk of your potential new partner. It can also serve as the backdrop to some questions for clarification, for example, why is this service exposed?”

It may be worth looking into the vendors you do business with by engaging in some “good old fashioned OSINT gumshoe work”, says Thornton-Trump. For example, you can look up vendor references and employee public postings online to help you assess how much effort they put into security.

In brief

Supply chain breaches can cascade across companies to cause a frighteningly brutal impact. Avoiding becoming a victim requires awareness of your vulnerabilities in the first place and ensuring you implement robust contracts that help protect you in case of an attack.

It’s also important to ensure resilience, including basic security measures such as MFA and backups, to reduce the effect of being directly or indirectly hit by this type of attack.