Beware of Solicitations from Fake Suppliers
At Lockheed Martin, supply chain security is a top priority and a critical part of our operations and efforts to advance industry excellence. We strive to support our suppliers because your company’s security is our security. This article seeks to raise awareness of a security issue that can impact us all but is more likely to impact smaller companies whose security posture may not be as strong or resilient as that of larger organizations.
Note: Use of the term “supplier” in this article refers to all third-party hardware, software and service providers.
Criminal vs. State-Sponsored Activity
Lockheed Martin is an obvious high-value target for criminals and adversaries seeking to gain access to sensitive data and technology; however, our suppliers are being targeted exponentially more year-over-year by adversaries using various tactics and techniques. One unique tactic that our suppliers should be aware of is the use of solicitations from fake suppliers, often posing as resellers or sourcing agents. These entities may pose as legitimate businesses while their true motive is to infiltrate the U.S. defense industrial base and allies by identifying and targeting smaller companies with weaker security posture.
Typically, the primary goal of criminal organizations is financial gain. Conversely, foreign adversaries may use front companies as a means to advance their own R&D programs and to degrade the national security, military capabilities and warfighter effectiveness of the U.S. and allies. Our adversaries have shown that an organization's security posture can be circumvented by targeting weaker links within that organization’s supply chain. Smaller companies with less security capability are more vulnerable because they often lack the resources and expertise to implement robust security measures, making them attractive targets for threat actors seeking to steal valuable intellectual property or sensitive data and technology. Additionally, smaller companies may have less visibility and oversight of their own supply chain, increasing the risk of infiltration by fake suppliers or other malicious actors.
Fake suppliers can be used to:
- Infiltrate the supply chain and gain access to sensitive data and technology
- Disrupt the supply chain and cause delays in production
- Insert counterfeit or malicious components into products
- Gain insights into the organization's operations and plans
- Gain access to employees for elicitation and recruitment
Spotting a Fake Supplier
Fake suppliers exist in many forms but they often operate as front companies for criminal or adversarial organizations. These front companies may appear legitimate at first glance but, upon closer inspection, may have suspicious characteristics such as:
- Lack of a physical address or a post office box as their only address
- Limited or no presence on the internet
- No established history or track record
- Offering products or services at unusually low prices
- Unwillingness to provide references or customer testimonials
- Claiming to supply a large defense contractor but unwilling to provide a POC
- Requesting quotes for restricted items under EAR, ITAR, CCL, NRC, OFAC, etc.
Recent Open Source Information
Here are some examples of open-source reporting on foreign adversaries using fake supplier schemes to gain access to sensitive data and technology:
In 2020, the cybersecurity firm FireEye reported that a North Korean state-sponsored hacking group had been using a fake supplier scheme to steal sensitive data from companies in the defense, aerospace, and telecommunications sectors. The hackers posed as legitimate suppliers and sent emails with malicious attachments to employees of the targeted companies. (Source: FireEye)
In 2021, the cybersecurity firm Proofpoint reported that a Russian state-sponsored hacking group had been using a fake supplier scheme to steal sensitive data from companies in the energy, engineering, and heavy machinery sectors. The hackers posed as legitimate suppliers and sent emails with malicious attachments to employees of the targeted companies. (Source: Proofpoint)
In 2021, the cybersecurity firm CrowdStrike reported that a Chinese state-sponsored hacking group had been using a fake supplier scheme to steal intellectual property from companies in the technology, manufacturing, and pharmaceutical sectors. The hackers posed as legitimate suppliers and sent emails with malicious attachments to employees of the targeted companies. (Source: CrowdStrike)
These examples demonstrate that foreign adversaries are actively using fake supplier schemes to gain access to target the defense sector and other critical sectors.
How could this affect my company?
Lockheed Martin suppliers that fall victim to fake supplier scams can suffer significant consequences, including:
- Financial loss due to stolen products or services
- Damage to reputation and loss of business
- Legal and regulatory penalties for failing to protect sensitive data
- Exposure of intellectual property to foreign adversaries
- Disruption of the supply chain and production delays
- Similar customer-level impacts
What protection measures can I implement?
Companies should be vigilant and implement robust security measures to protect against this threat. Consider the following:
- Procurement Process: Implement strict procurement processes and procedures to ensure that all suppliers are thoroughly vetted before being added to the approved supplier list.
- Supplier Communications: Establish a secure and encrypted communication channel with suppliers to protect sensitive data and information.
- Supplier screening process: Create or review your company’s supplier screening process. Verify the identity and legitimacy of potential suppliers before engaging in business. This can be done by conducting due diligence, confirming business registration with the U.S. Securities and Exchange Commission (SEC) or state administrator, checking references, verifying their physical address and internet presence and calling Lockheed Martin for confirmation. In addition, ensure similar requirements are required of sub-contractors.
- Awareness Training: Provide training and awareness programs to your general employee population to help them identify and report potential fake supplier scams. This may be included in a standard security training curriculum for all employees. Also, provide in-depth, tailored training to your purchasing and procurement representatives on how to spot red flags for fake suppliers and steps to take if they have concerns.
- Routine Audits: Develop regular audits to verify the effectiveness of awareness training, and regularly review and monitor procurement processes and your supply chain for signs of suspicious activity or irregularities.
- Industry Information Sharing: Maintain awareness of supply chain security trends by participating in industry liaison programs and contacting your prime contractor if you have any concerns you may need assistance with.
- Government Resources: Leverage government-provided open-source resources to stay up-to-date on the latest threats and best practices for securing intellectual property and sensitive data. These resources can provide valuable information and guidance on implementing security controls, managing supply chain risks and responding to cyber incidents. Additionally, many of these resources offer opportunities for collaboration and information sharing with other organizations and government agencies which can help companies build a stronger security posture and reduce vulnerabilities. Some examples include:
- DCSA’s Center for Development of Security Excellence (CDSE): CDSE is a directorate within the Defense Counterintelligence and Security Agency and executes the functional manager responsibility (DODI 3305.13) that ensures security training, education, and certification standards are consistently met in the deployment of products and services for the Department of Defense (DOD). In doing so, CDSE provides security education, training and certification products and services to a broad audience supporting the protection of National Security and professionalization of the DOD security enterprise.
Cybersecurity and Infrastructure Security Agency (CISA): CISA is a U.S. government agency that provides a range of resources and services to help organizations secure their cyber infrastructure. CISA's website offers a wealth of information on threats, vulnerabilities and best practices, as well as alerts and advisories on current cyber threats.
US CERT’s National Cyber Awareness System (NCAS): NCAS is a free subscription-based service that provides information on cybersecurity threats and best practices. NCAS offers a range of products, including alerts, bulletins and current activity updates, as well as a weekly vulnerability summary.
Federal Trade Commission (FTC): The FTC provides resources and guidance on protecting intellectual property and preventing cybercrime. The FTC's website includes information on data security, identity theft and online fraud, as well as guidance on developing a cybersecurity plan.
DHS’s Science and Technology Directorate (S&T): DHS S&T provides information and resources on emerging technologies and best practices for securing critical infrastructure. DHS S&T's website includes information on cybersecurity research and development, as well as resources on supply chain security and risk management.
- National Institute of Standards and Technology (NIST): NIST provides a range of resources and guidelines for implementing best practices in cybersecurity. NIST's Cybersecurity Framework is a voluntary framework that provides a common language and set of guidelines for managing cybersecurity risks.
Conclusion
The threat of fake suppliers is a real and growing concern for defense companies and our supply chains. As you continue to work with your Lockheed Martin representative, together we can reduce our vulnerability and protect our businesses, reputations and critical assets, and deliver uncompromised products to our customers by understanding the risks and implementing robust protection measures. As a leading defense company, we are committed to working with our suppliers to ensure the security and integrity of our supply chain.