Software supply chain attacks are a regular feature of cybersecurity but remain understudied as a tactic of malicious actors and a tool of cyber statecraft. This dashboard provides an interactive visualization of the dataset and its major trends. The charts break down incidents by several criteria, including scale and impact, when they took place, the responsible actors (if attributed), targeted codebase, and attack and distribution vectors.

A list of every incident in this dataset is available at the bottom of the page, and both this list and all charts and graphs can be further filtered by the slider and drop-down menus below. Clicking on any value will offer the option to filter the entire dashboard. To download the filtered version of the tableau dashboard and the dataset, please use the download button in the bottom right. Definitions of key terms and data categories can be found by hovering over values in each graph or chart the codebook, which can be downloaded along with the full dataset below.

To download the full dataset or its codebook, use the buttons below.

Update 1 – 2020 – 82 software supply chain attacks and 33 disclosures 

Update 2 – 2021 – 117 software supply chain attacks and 44 disclosures

Update 3 – 2023 – 168 software supply chain attacks and 72 disclosures

Breaking trust

This report evaluates a dataset of 161 software supply chain attacks and vulnerability disclosures collected from public reporting over the past 10 years to show that software supply chain attacks are popular, impactful, and used to great effect by states. Software supply chain attacks provide huge value for attackers and remain popular.

These attacks are impactful, giving attackers access to critical infrastructure like electrical power generation and nuclear enrichment systems. States like Russia, China, North Korea, and Iran attack the software supply chain as part of their offensive cybersecurity efforts.

This dataset is open and freely available for download.

 

Return to Project Home Explore the dataset

Issue briefs and reports Jul 26, 2020

Breaking trust: Shades of crisis across an insecure software supply chain

Software supply chain security remains an under-appreciated domain of national security policymaking. Working to improve the security of software supporting private sector enterprise as well as sensitive Defense and Intelligence organizations requires more coherent policy response together industry and open source communities.

Read More

Feature Jul 26, 2020

App stores in focus

By Trey Herr, June Lee, Will Loomis, and Stewart Scott

App stores and hubs are a popular target for software supply chain attacks on large numbers of users, exploiting trust in proprietary app ecosystems and the security of storefronts like Play Store and App Store.

Cybersecurity Technology & Innovation

Feature Jul 26, 2020

Deep impact: States and software supply chain attacks

By Trey Herr, June Lee, Will Loomis, and Stewart Scott

States have used software supply chain attacks to great effect. Hijacked updates have routinely delivered the most crippling state-backed attacks, thanks in part to a continued failure to secure the code-signing process.

China Cybersecurity

The Atlantic Council’s Cyber Statecraft Initiative, part of the Atlantic Council Technology Programs, works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

learn more

Related Experts: Trey Herr, Will Loomis, and Stewart Scott