Nearly 10% of SMB Defense Contractors Show Evidence of Compromise

More than half of SMB contractors in the US defense supply chain are critically vulnerable to ransomware attacks, a new report has claimed.

Cybersecurity vendor BlueVoyant chose to analyze a representative sample of 300 smaller contractors from a defense industrial base (DIB) estimated to have anywhere from 100,000-300,000 suppliers.

The resulting Defense Industry Supply Chain & Security 2021 review uncovered concerning signs of weaknesses in this complex ecosystem of contractors — potentially putting national security at risk.

It found that over half of the companies studied had unsecured ports vulnerable to ransomware attacks. In contrast, 48% had vulnerable ports and other weaknesses, including unsecured data storage ports, out-of-date software and operating systems, and other vulnerabilities rated severe by NIST.

Unpatched flaws were particularly concerning: more than six months after critical F5 and Microsoft Exchange vulnerabilities were published, nine companies were yet to fix them.

A fifth (20%) of SMB contractors were found to have multiple vulnerabilities and evidence of targeting, while 7% also featured evidence of compromise.

In total, BlueVoyant found evidence of over 1300 email security issues, more than 400 vulnerabilities, and 344 indications that suggest “company resources are involved in anomalous or criminal activity.”

Perhaps unsurprisingly, over a quarter (28%) of appraised contractors showed evidence indicating they would fail to meet the most basic tier-1 requirement for the Cybersecurity Maturity Model Certification (CMMC). This is a critical compliance standard designed to improve security best practices among US defense contractors.

Austin Berglas, global head of professional services at BlueVoyant, argued that as primary contractors improve cybersecurity, threat actors have pivoted towards SMBs in the same supply chain. He highlighted manufacturers and R&D firms as particularly exposed to the risk of attack.

“For an industry with such an expansive, interconnected digital ecosystem, supply chain security should be a fundamental consideration. Prime contractors are under enormous pressure to reduce the attack surface of the entire supply chain but are partly blind to the vulnerabilities that exist,” he added.

“For smaller companies, identifying ongoing risks and understanding overall supply chain health is a daunting but vital process, and more attention and resources should be dedicated to combating the growing threat.”

Leave a Reply