Supply Chain Attack Investigations: When the Breach Is Not in Your Own Systems
Supply chain attacks put organisations in a forensically difficult position. The initial compromise happened somewhere else, in a third-party's environment, using that third-party's credentials, on infrastructure that belongs to the supplier. By the time the victim organisation discovers there is a problem, the attack may have been underway for months. The forensic record in the victim's own systems shows effects, not origins.
This distinction shapes everything about how a supply chain attack investigation proceeds. The investigation team cannot image the supplier's servers. They may not be able to obtain the supplier's logs. They are working from artefacts of the attack that reached their environment, and attempting to reconstruct an access chain that began outside their visibility. Understanding the specific challenges of this class of investigation is important for scoping the engagement and setting realistic expectations about what can be established.
The Access Path Problem
In a supply chain attack, the attacker leveraged a trusted relationship to reach the victim. That trusted relationship might be software the supplier delivers into the victim's environment, access credentials the supplier holds for maintenance or support purposes, or data feeds that the supplier provides. In each case, the attacker used something legitimate, which is why these attacks are effective and why they are hard to detect.
Reconstructing the access path requires understanding every integration point between the victim's environment and the supplier. In our experience, organisations frequently underestimate the breadth of supplier access they have granted. Vendor accounts that were created for a specific project and never deprovisioned, legacy integration credentials stored in configuration files, and third-party monitoring agents with broad system access are all common findings in the early triage of supply chain incidents. The investigation scope includes all of these.
What You Can Investigate in Your Own Environment
Even without access to the supplier's systems, the victim organisation's own forensic record can answer important questions about the impact within their environment. Authentication logs will show when supplier-associated accounts were used, from what IP addresses, and what they accessed. Endpoint logs on systems those accounts touched will show process execution, file access, and lateral movement artefacts. Network logs may show unusual outbound traffic from systems the supplier account contacted.
Key investigation steps within the victim environment include:
- Identifying all accounts and credentials associated with the supplier, including service accounts, shared credentials, and API keys
- Reviewing all authentication events for those accounts for the full suspected compromise period
- Mapping all systems and data stores the supplier accounts had legitimate access to, to establish the maximum possible impact scope
- Reviewing endpoint telemetry on systems those accounts accessed for signs of lateral movement or secondary tooling deployment
- Analysing outbound network traffic from affected systems for command-and-control patterns or data exfiltration indicators
- Reviewing any software or updates delivered by the supplier during the suspected compromise period
Working With the Supplier During the Investigation
The relationship with the supplier during a supply chain attack investigation is complicated. The supplier may themselves be a victim and may be running their own investigation under significant pressure. Their ability and willingness to share forensic information with affected customers will vary. In some cases, the supplier will be forthcoming; in others, their legal team will limit what they disclose, particularly while their own investigation is incomplete.
It is worth engaging the supplier directly and formally, in writing, early in the investigation. Requests should be specific: which systems were compromised, during what period, what credentials or access mechanisms were affected, and what is known about what the attacker accessed or did. The supplier's responses, and the timing and completeness of those responses, become part of the investigative record. Where the supplier cannot or will not provide necessary information, that gap needs to be documented and its implications for the investigation scope understood.
Longer-Term Remediation After a Supply Chain Incident
Remediating a supply chain attack requires addressing both the immediate impact in the victim environment and the underlying exposure that the supplier relationship created. The immediate response focuses on revoking compromised credentials, removing any attacker-deployed tooling, and restoring affected systems. The longer-term remediation addresses the supplier relationship itself.
That remediation typically involves reviewing all supplier access against the principle of least privilege, implementing just-in-time access mechanisms for supplier maintenance accounts rather than persistent credentials, requiring independent security attestation or audit evidence from critical suppliers, and building monitoring specifically for supplier-associated account activity. Supply chain attacks succeed partly because supplier access is trusted and therefore less scrutinised. Post-incident controls should change that assumption.
Cyberlinx investigates supply chain attacks and helps organisations understand their exposure to third-party access risks. If you are managing a suspected supply chain incident or want to assess your supplier access posture, contact us at info@cyberlinx.com.au.
Related Articles







