IT and software supply chain attacks have surged in recent months, as threat actors have gotten better at exploiting supply chain vulnerabilities, Cyble threat intelligence researchers reported this week.
In a June 9 blog post, Cyble researchers said software supply chain attacks have grown from just under 13 a month during February-September 2024 to just over 16 a month from October 2024 to May 2025, an increase of 25%. However, the last two months have seen an average of nearly 25 cyberattacks with supply chain impact, a near-doubling of supply chain attacks from the year-ago period (chart below).
The researchers noted that because of the sophisticated nature of supply chain attacks, monthly variations can be quite large “so some variability should be expected even as supply chain attacks generally trend higher.”
They also noted that not every cyberattack or its source is known, so such data “is by its nature incomplete.”
Software Supply Chain Attacks: IT Targeted
The researchers looked specifically at 79 supply chain attacks in the first five months of 2025. Of those, 50, or 63%, directly targeted IT, technology, and telecom companies, which are valuable targets for threat actors looking to exploit downstream users.
“Damage from a single successful exploit in those areas can be widespread, as happened with the hundreds of CL0P ransomware victims from a single vulnerability,” Cyble said. Those CL0P victims helped make February a record month for ransomware attacks.
Of 24 industries tracked by Cyble, only two sectors – Mining and Real Estate – were untouched by supply chain attacks in the first five months of 2025 (image below).
In non-tech industries, supply chain attacks often come via third parties, service providers, and industry-specific solutions.
The U.S. was targeted in 31 of the 79 incidents. European countries were targeted in 27, with France (10 incidents) leading other European countries by a significant margin.
26 incidents targeted APAC countries, led by India (9) and Taiwan (4). The Middle East and Africa were targeted in 10 supply chain attacks, with the UAE and Israel leading with four incidents each.
Supply Chain Attack Examples
Cyble detailed 10 of the supply chain attacks to show the range of industries and data exposed. Targets included:
- A ransomware attack on a Swiss banking technology solutions and services company that included exfiltrated login credentials for banking applications.
- An IT services subsidiary of a large international conglomerate was hit by a ransomware attack that may have “impacted multiple projects tied to government entities.”
- A threat actor on the cybercrime forum DarkForums was selling “a large dataset allegedly pertaining to a high-throughput telecommunications satellite for Indonesia and some ASEAN countries.” The data allegedly included technical documents related to propulsion tests, launch analyses, ground systems, and site vulnerabilities.
- Blueprints were allegedly among the stolen data in a Hellcat ransomware group attack on a China-based company specializing in display technologies and electronic solutions.
- The DragonForce extortion group claimed to have stolen 200 GB of data from a U.S. company specializing in biometric recognition and identity authentication solutions.
- The VanHelsing ransomware group claimed an attack on a U.S.-based company specializing in enterprise security and identity access management (IAM) solutions. “The nature of the exposed files suggests they may contain sensitive information linked to the company’s customers, potentially affecting sectors such as Banking, Financial Services, and Insurance (BFSI),” Cyble said.
- A threat actor on the cybercrime forum Exploit was selling “unauthorized access with administrative privileges” to the cloud infrastructure of an Indian fintech company that offers SaaS-based payment service solutions.
- A cyberattack on a Singapore-based technology company allegedly led to the theft of 3TB of data, including database content and technical and project documentation.
- An attack on an Australian IT and telecom solutions company may have exposed licensing and application configuration files, hashed credentials, and other critical data.
- A threat actor on DarkForums was selling unauthorized access to a portal belonging to an Australian telecommunications company that allegedly included access to domain administration tools and other critical network information.
Protecting Against Supply Chain Attacks
The researchers noted that protecting against supply chain attacks “is challenging because these partners and suppliers are, by nature, trusted.”
Building in controls and resilience should be priorities, including:
- network microsegmentation
- strong access controls
- encryption of data at rest and in transit
- ransomware-resistant backups
- honeypots for early breach detection
- proper configuration of API and cloud service connections
- monitoring for unusual activity
“The most effective place to control software supply chain risks is in the continuous integration and development (CI/CD) process, so carefully vetting partners and suppliers and requiring good security controls in contracts are important ways to improve third-party security,” Cyble said.
