Feb 2025
by Lim May-Ann
The geopolitical developments in 2025 have cast global spotlight again on the critical role that supply chain security plays in global commerce and economic growth. After decades of globalization and optimization, the interconnected digital systems and global suppliers of today are facing an increasingly complex security landscape, chief of which is the intertwined threat of cybersecurity and supply chain security. Understanding and mitigating the risks embedded within our supply chains is no longer a niche concern but a critical imperative for the region’s continued prosperity and security.
Protection of Cyber Assets and Securing the Supply Chain
Broadly, cybersecurity involves defending our digital assets – such as computers, servers, mobile devices, networks, and data – from malicious attacks. These could range from malware and ransomware designed to extort or disrupt, to phishing / social engineering campaigns aimed at stealing credentials or getting approvals, and sophisticated Advanced Persistent Threats (APTs) seeking long-term espionage or sabotage. The attack surface itself is constantly expanding with the proliferation of Internet of Things (IoT) devices, the increasing reliance on cloud computing, and the rise of remote work and Bring Your Own Device (BYOD) policies, making robust cybersecurity a foundational need for every organization.
Supply chain security, in the cybersecurity context, focuses on the vulnerabilities inherent in the complex web of partners, vendors, and components that contribute to a final product or service. Risks to this supply chain refer to the threats and vulnerabilities associated with products throughout the entire supply chain lifecycle (read more in CCAPAC’s 2023 Annual Report on Critical Information Infrastructure and Supply Chain Security.) An important note is that the “supply chain” goes beyond physical goods alone; it encompasses:
- software development, including open-source libraries and third-party code,
- hardware manufacturing, from chip design to prototyping to assembly, and
- the services provided by external vendors, including IT support and cloud providers.
Supplier, Vendor, Provider: Identifying The Weakest Link(s)
A weakness or compromise at any point in this chain – whether through malicious code injected into a software update, a counterfeit hardware component with hidden backdoors, or a compromised third-party vendor with privileged access – can create significant vulnerabilities for the end-user or organization. This “trust” in numerous external entities is a fundamental challenge.
The convergence of these two domains of supply chain and cybersecurity attack risks is where the threat truly escalates. Attackers increasingly view the supply chain as an opportune vector to bypass an organization’s direct defenses. By compromising a trusted supplier, they can potentially infiltrate hundreds or even thousands of downstream victims. e.g.
- In the SolarWinds attack of 2019, malicious code was inserted into a widely used IT management software Orion (code injection attack), and the malware spread through SolarWinds’ customer systems, allowing the hackers to gain access to thousands of customer IT systems through the contagion.
- In the 2017 NotPetya cyberattack, a (state-sponsored) attack by Russian hacker group Sandworm compromised first a Ukraine accounting software from a company Linkos, used by many people doing business in Ukraine. The attack – designed to be less ransomware than to be completely destructive – spread quickly throughout the world, and eventually created a global shutdown of the shipping company Maersk (amongst other logistic shippers). The total cost of recovery for Maersk was estimated to be between USD 250-300 million, which starkly illustrates the devastating and widespread impact such attacks through supply chains can have.
- In the 2025 M&S, Co-op, and Harrods attacks, it is believed that affiliates of DragonForce and Scattered Spider teamed up leveraging sophisticated social engineering tactics, software exploits and brute-force credential attacks to gain access to the network. Notably, the groups work in waves targeting several organizations of the same sector for media visibility, and DragonForce has been active in the region before (Coca-Cola, Singapore in 2023).
Southeast Asia at the Intersection of Opportunity and Vulnerability
Southeast Asia sits at a unique intersection of opportunity and vulnerability when it comes to supply chain cybersecurity challenges. We highlight five such intersections:
(1) Southeast Asia’s manufacturing ecosystem is a tempting supply chain cyberattack target. Countries like Vietnam, Thailand, Malaysia, and Indonesia are integral to global manufacturing supply chains, particularly for electronics. This creates opportunities for malicious actors to introduce compromised hardware components or tamper with firmware during production. The risk of counterfeit electronics, which may not meet security standards or could contain malware, is also a significant concern, potentially impacting everything from consumer devices to industrial control systems.
(2) Southeast Asia’s expansive reach is also a vulnerability. With strong growth in its digital economy, Southeast Asia has also seen a rapid increase in products and services such as local software development, e-commerce platforms, and fintech solutions. These services often have a tightly interwoven application ecosystem, relying on third-party software (vendor vulnerability), open-source libraries, and Application Programming Interfaces (APIs). Any vulnerability in any of these components in the ecosystem will have a cascading and contagion effect.
(3) Critical Infrastructure, Maritime Logistics Dependencies. This threat is not limited to Southeast Asia – much of the world’s critical national infrastructure, such as energy, telecommunications, and transportation including maritime logistics, all rely on technology and components sourced from around the world. The global software, hardware, and maintenance-ware supply chain therefore introduces the risk of embedded vulnerabilities or “kill switches” that could be exploited by bad actors, disrupting essential services in countries.
- Earth Ammit is a threat actor which is focused on compromising trusted networks such as critical infrastructure suppliers via supply chain attacks, allowing them to target high-value entities downstream and amplify their reach.
(4) SME vulnerabilities. Approximately 97% of all companies in Southeast Asia are Small and Medium-sized Enterprises (SMEs), who often do not have the resources and cybersecurity expertise of larger corporations. This makes them attractive targets for attackers seeking an entry point into the supply chains of larger companies they partner with, as a compromised SME can serve as an unwitting Trojan horse, amongst other risks.
- A real threat is looming with the planned phasing out of Windows 10 in Oct 2025, which is expected to put SMEs at risk. Many companies in Southeast Asia may not be able to afford the upgrade before the deadline comes, which would leave them vulnerable to attacks.
Charting a More Secure Path Forward
Addressing supply chain cybersecurity in Southeast Asia requires a multi-pronged, collaborative approach.
- Enhanced Regional Cooperation. This can be done through ASEAN frameworks and national cybersecurity agencies, where national agencies may share threat intelligence, and harmonize baseline security standards across the region. Initiatives like the 2025 ASEAN Checklist for the Implementation of the Norms of Responsible State Behaviour in Cyberspace provide an example of a foundation for coordinated action.
- Industry-Led Best Practices. Companies should champion robust vendor risk management programs, conducting thorough due diligence on their suppliers. For example, adopting and promoting the use of the Software Bills of Materials (SBOMs) can provide greater transparency into software components. Other examples include using international standards to ensure secure coding practices, regular vulnerability assessments, and penetration testing of both internal systems and supplier interfaces.
- Government Support and Regulation. Governments can play a role by establishing clear cybersecurity standards for critical industries and providing resources and incentives for companies (particularly for SMEs) to improve their security posture. This could also include plans for cybersecurity resilience, which is the ability to quickly detect, respond to, and recover from supply chain compromises – is vital. This includes having well-rehearsed incident response plans.
- Building Cyber Capacity and Awareness. Government and companies should invest in cybersecurity education and training, working to build up a cyber literate and skilled workforce. Awareness programs for businesses of all sizes can help them manage human risk in cybersecurity and implement basic hygiene.
The security of our digital future in Southeast Asia is inextricably linked to the integrity of our supply chains. It’s not just about protecting individual organizations but about safeguarding our interconnected economic ecosystem. CCAPAC notes that these complex challenges require fostering a collective commitment to robust supply chain cybersecurity practices. We are committed to providing a strong platform for dialogue and discussion, where we can build a more resilient and trustworthy digital environment together, ensuring that Asia Pacific continues its digital transformation securely and successfully.