Supply Chain Compromise
Compromise software, hardware, or service providers used by the target.
§ Where this technique fits
T1195 is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 4 approved dossiers in the registry, typically at step 3.3 on average.
Authoritative reference: attack.mitre.org/techniques/T1195/.
§ Dossiers chaining this technique
- step 3 / 6
Trusted updater hijack → wormable destructive payload (NotPetya / M.E.Doc)
Compromise a niche third-party vendor (regional tax software, niche industry tooling). Push a malicious update; every customer auto-installs it. Payload spreads via SMB + Mimikatz, wipes drives.
- step 3 / 5
Hardware wallet supply-chain tamper → pre-seeded seed
Intercept Trezor / Ledger / KeepKey in transit (or counterfeit on Amazon / eBay). Replace device with one that already has a known seed phrase the attacker controls — victim deposits, attacker drains.
- step 3 / 6
GitHub OIDC trust over-broad → AWS admin
An IAM role trusts GitHub Actions OIDC with a wildcard 'repo:*' subject. Any attacker GitHub repo can assume the role and run with its privileges.
- step 4 / 7
Build-system implant → signed supply-chain backdoor (SolarWinds-class)
Compromise the target vendor's build server. A small implant rewrites a single source file at compile time — every official signed release downstream now ships the backdoor.
§ What commonly comes next
- 01AWS sts:AssumeRole Chainseen 1×C-AWS-ASSUMEROLE-CHAIN · Lateral Movement
- 02GitHub Action Tag Mutationseen 1×SUP-ACTION-TAG-MUTATION · Persistence
- 03User Executionseen 1×T1204 · Execution
- 04Valid Accountsseen 1×T1078 · Initial Access