For two decades, enterprise security was organized around the perimeter model. Define the boundary of your network. Protect what crosses that boundary. Monitor what moves inside it. The underlying assumption was that the threat was external — attackers trying to get in — and the defense was separation between the inside and the outside.

Nation-state level attackers abandoned this model as their primary approach years ago. Direct network intrusion is detectable, requires significant ongoing operational security, and generates the kind of anomalous activity that well-resourced security operations can identify. Software supply chain compromise is cleaner. When the tool your target trusts installs the malware, the target installs the malware themselves. No intrusion. No anomaly. No alert.

Three Cases That Defined the Pattern

SolarWinds — 2020

Russian Foreign Intelligence Service (SVR) operators compromised the build environment of SolarWinds' Orion network management platform. A malicious update, distributed through SolarWinds' normal software update mechanism, installed a backdoor — SUNBURST — on approximately 18,000 customer networks. Targets included the US Treasury, Department of Homeland Security, State Department, and hundreds of private sector organizations. The compromise was active for nine months before detection.

XZ Utils — 2024

A sophisticated social engineering operation, conducted over approximately two years, inserted a malicious contributor into the development team of XZ Utils — a compression library present in virtually every Linux distribution. The malicious code, discovered weeks before broad deployment, was designed to compromise SSH authentication across affected systems. The operation demonstrated patience and technical sophistication beyond what most organizations model in their threat assessments.

3CX — 2023

North Korean actors compromised the 3CX desktop application — a widely-used business communications platform — through a supply chain attack on a financial software library. The compromised 3CX client was distributed to approximately 600,000 organizations globally. The attack targeted the communications platform specifically — providing access to the conversations of the platform's users rather than general network access.

The 3CX case is the most directly relevant to communications security. The attackers did not target 3CX's network to eavesdrop on calls. They targeted the software distribution mechanism to compromise the application installed on customer devices. The encryption 3CX provided between clients was irrelevant once the client itself was compromised.

"When the communications application is the attack vector, end-to-end encryption protects nothing. The malware is on both ends."

Why Communications Software Is the Preferred Target

Communications platforms are attractive supply chain targets for several reasons that are distinct from general enterprise software.

They are universally trusted. Communications software is by definition installed on devices belonging to the most sensitive conversations in an organization — executive communications, legal communications, operational planning. Compromising the communications layer provides access to the most valuable information without requiring navigation through other systems.

They require frequent updates. The trust model for software updates is fundamentally broken for most organizations — updates are installed because the vendor says to install them, with minimal verification of the content. Frequent update cycles provide frequent opportunities for supply chain insertion.

They have broad installation bases. A single successful supply chain compromise of a widely-used communications platform reaches thousands of target organizations simultaneously. The effort-to-impact ratio is far better than individually targeting each organization.

What Supply Chain Integrity Requires for Communications

The supply chain security problem for communications is not solved by more rigorous vendor audits, though audits are necessary. It is addressed architecturally — by reducing the attack surface that a supply chain compromise can reach, and by ensuring that a compromised application component cannot access the keys that protect communications.

Hardware-level key isolation means that even a fully compromised application cannot extract the cryptographic keys protecting communications. The keys exist in hardware that the application layer cannot directly access. A compromised application can intercept the communication at the point of display — after decryption — but cannot compromise the encryption of historical communications or future communications after the compromise is detected and remediated.

Auditable build processes and hardware attestation mean that the software running on a device can be verified against a known-good state, and deviations are detectable. This does not prevent supply chain compromise attempts. It makes successful compromise harder to conceal, and it reduces the window between compromise and detection.

The organizations that are most exposed to communications supply chain attacks are those running commercial communications software on general-purpose devices with no hardware key isolation, no build attestation, and no way to verify that the application they are running is the application they believe it to be.

The organizations that are least exposed have communications infrastructure where the encryption keys are protected at a level the application layer cannot reach, where the software supply chain is controlled and auditable, and where compromise of the application layer does not mean compromise of the communications it was designed to protect.

If your organization is evaluating communications infrastructure against supply chain threat models, we'd like to hear from you.

Get in Touch