Judgement 4

Why it matters – the global view

Malicious actors are increasingly circumventing organisations’ defences by targeting blind spots in the form of supply chain vulnerabilities or other dependencies that may be overlooked.

Supply chain (or third-party) attacks occur when actors seek to gain access through vulnerabilities in third-party products and services, vendors and service providers, or software instead of attacking target organisations directly. This approach works where the third party may not adhere to the same security standards as the target organisation, or where actors are prepared to put in the effort to compromise the third party because it is key to unlocking access to one or more valuable targets. Some attackers have successfully used social engineering techniques to achieve this.

Supply chain attacks are conducted by both financially motivated criminals and state-sponsored actors.

Other examples of organisational blind spots include legacy technology, configuration errors, and incomplete closure of accounts at the end of employment.

Organisations can also be indirectly impacted due to the cascading effects of a cyber security incident. A compromise of a single organisation of any size can trigger systemic disruption to the interconnected organisations in that sector, or those who rely on that organisation for business operations.

Operational technology (OT) is an area where blind spots can occur. Organisations may not be accustomed to considering cyber security risks for technology that was previously protected by air gaps (i.e. physically separated). The linking of OT to software and digital tools introduces new risks organisations need to manage.

Examples

In 2021, a vulnerability affecting Apache’s Log4j, a Java-based logging library, was widely exploited by threat actors to gain significant global compromises. Few system administrators or IT professionals knew they were running Log4j as it was frequently bundled inside commercial software. By targeting a weakness in a little-known technical library, cyber actors could take advantage of unseen weaknesses in a wide range of commercially purchased and business-critical software. The Log4j vulnerability has had a long tail in New Zealand and overseas, and continues to provide sophisticated cyber actors with a viable entry route to networks even in 2025.
In 2025, a hacking group known as Scattered Spider has been responsible for some high-profile supply chain attacks, such as one against Marks & Spencer (M&S) in the UK. The group is known for its use of social engineering techniques, including posing as IT or helpdesk workers to convince staff to hand over credentials, multi-factor authentication codes, or to run remote access tools.
In 2025, a security researcher discovered a vulnerability in Microsoft’s cloud identity manager (Entra ID) that allowed access to every Microsoft tenant. There is no evidence of exploitation prior to Microsoft patching the vulnerability (CVE-2025-55214). If exploited, this vulnerability could have allowed malicious actors to create accounts in any or all Azure tenancies, with widespread impact.
Also in 2025, threat actors used a critical vulnerability in SAP NetWeaver, a widely used enterprise software platform, to deploy sophisticated backdoor malware. SAP moved quickly to release a patch; however, the damage had already been done for affected organisations that had failed to apply the patch in time. In the case of one exploit, attackers were reportedly able to deploy the malware, establish control, and begin extracting sensitive data within a matter of hours.

Tactics and techniques

Technology evolution means organisations are now more reliant on digital information, outsourcing and cloud platforms – including software-as-a-service. With more platforms, services and providers in the supply chain mix, a typical organisation’s attack surface is growing. The increasing use of outsourced systems means that responsibility for security can be shared across both the provider and customer. This can create gaps if organisations are unclear on who is doing what.

Threat actors understand these challenges and exploit them accordingly.

The New Zealand landscape

Although we have not observed high-profile data breaches of New Zealand organisations in the past year, New Zealand customers have been impacted by breaches of other organisations such as Qantas, where thousands of records were stolen by cybercriminals.

In 2025, a cyber actor advertised millions of credentials reportedly associated with a legacy cloud service hosted by Oracle on a dark web forum. By some estimates, over 100,000 customers’ key and credential material had been exposed. The NCSC tracked the activity and provided advice to critical sectors about precautions they could take.

Activity similar to that linked to the Scattered Spider group has also been observed in New Zealand. Scattered Spider targets IT helpdesks and uses the access for data extortion and ransomware. Its attacks often involve social engineering techniques to learn how to get password resets from helpdesks, and phone calls to employees to gain the information required to successfully obtain the reset. The group may also search social media sites for the personal information they need.

The NCSC is aware of similar techniques targeting helpdesks that have been used to infiltrate a number of New Zealand organisations.

Government agencies are a valuable target for both state-sponsored and financially motivated actors. Both types of actors have successfully compromised IT service providers with New Zealand Government customers in the last five years. Due to the nature of these businesses, there are significant impacts beyond the single organisation.

As described below in Case Study 4, supply chain attacks are occurring in New Zealand where a breach of a subsidiary or vendor is used as a stepping stone to a larger and potentially more lucrative target.

Operational technology

It’s not just IT that’s vulnerable to exploitation – OT is also at risk. OT refers to systems that interface with the physical world to automatically control and monitor equipment and processes. Many New Zealand organisations rely on OT systems to deliver services, including those in critical sectors like water, electricity and transport. Common types of OT include industrial control systems (ICS), supervisory control and data acquisition (SCADA) systems, and building management systems.

Historically, OT devices were designed for use in isolated, air-gapped networks without external connectivity. Due to business requirements such as the need for remote control or monitoring of OT equipment, OT devices are increasingly connected to the internet and corporate IT networks. However, many OT devices lack adequate security functionality. They are often legacy devices that are difficult to patch and may be challenging to upgrade or replace due to high costs or operational requirements.

During 2024/25, NCSC analysis of public-facing infrastructure identified numerous OT devices in New Zealand that are connected to the internet. It is highly likely that the asset owners were unaware of the risk posed by this exposure.

OT is increasingly being targeted by malicious cyber activity worldwide. Malicious cyber actors may opportunistically or systematically target OT devices in New Zealand for financial or political gain. The potential impacts of unauthorised access to OT devices include financial loss, loss of asset control, loss or degradation of essential services, environmental impacts or, in serious cases, loss of life.

Case study 4: Vendor compromise prevented

In June 2025, an organisation in the energy sector received a malicious email that targeted several of their inboxes. The malicious email originated from a compromised account owned by an external vendor, and it contained a link to a PDF embedded with malware. The PDF was hosted on a SharePoint account owned by the vendor. This kind of attack is called business email compromise (BEC), which is a type of phishing.

Fortunately, the energy company’s existing security policies blocked the link to the external PDF. While one of their users did attempt to interact with the link, no harm was caused due to the security policy, and the user’s sessions were quickly revoked. The energy company then contacted the vendor, who confirmed that they had been compromised by a threat actor. The threat actor had highly likely obtained access to a staff email account. The energy company was able to verify that no sensitive information had been shared with the vendor in the past, and they advised all staff to be extremely careful in their communications with the vendor, until it was confirmed that the threat had been fully contained.

In this case, a threat actor gained access to the vendor’s systems and then attempted to leverage this access to target other organisations who had relationships with the vendor. Through having good security policies already in place, the energy company avoided any impact when its staff received phishing links.

Implications for organisations

The interconnected nature of IT infrastructure means organisations need to look beyond what they directly control when considering their cyber security.

Thinking laterally, organisations must consider potential weaknesses in vendors or third-party suppliers that could be used as access points.

Organisations also need to consider the indirect impact of an organisation they rely on being impacted by a cyber security incident, and the flow-on impacts to business operations and customer trust.

This could include a critical system being unavailable due to a ransomware or a denial-of-service event, or an organisation holding your information being subject to a data breach. A supplier or vendor you work with could have its business email system compromised, resulting in your organisation paying fraudulent invoices.

The NCSC strongly recommends that OT asset owners and operators identify internet-connected OT devices in their networks. Where internet connectivity is unintentional or unnecessary, operators should change configurations to prevent or restrict access to, from, or across the internet. Where remote connectivity is necessary, a layered defence should be implemented.

Readiness considerations

Five questions leaders should be asking:

How well do we understand and manage cybersecurity risk across our supply chain?
What requirements are placed in contracts regarding management of supply chain risk?
Do we provide training to staff to recognise social engineering attacks?
Have we considered supply chain cyber incidents in our business continuity planning?
If our organisation uses OT, are we confident there are no unintentional or nonessential instances of internet connected OT in our network?

Resources

Key cyber security terms and their definitions can be found in our glossary:

Glossary | Rarangi kupu

Read Judgement 5

Known weaknesses and unpatched vulnerabilities are providing threat actors with easy access