Blue Yonder Outage Could Impact 3.5 Million Companies though Extended Supply Chain

Authors: Andrea Little Limbago, PhD, SVP, Applied AI and Mackenzie Clark, Senior Computational Social Scientist 

For over a decade, cybersecurity experts have designated each year ‘the year of ransomware’.  

Although by some accounts the first ransomware attack dates back to 1989, the steady increase in ransomware attacks – and their financial impact – has been most prominent since 2013 with the CryptoLocker attack and the millions of dollars extorted from victims.  

Yesterday’s news of the ransomware attack targeting software company Blue Yonder is just the latest widespread ransomware attack. 

It also follows closely on the heels of the Finastra breach, which they were quick to point out was not a ransomware attack but rather a more isolated incident in terms of exposure.  

A review of the companies impacted reveals the potential widespread risks despite a more isolated breach. 

Blue Yonder Ransomware Attack: Isolated Incident or Sprawling Global Impact? 

Supply chain software company Blue Yonder was hit hard by a ransomware attack beginning November 21, 2024, disrupting a private cloud computing service. Interos data shows thousands of direct customers could have been impacted. 

Of the direct customers, the hardest hit industries were:  

  1. Supermarkets, department stores and other retailers 
  2. Software and IT Services 
  3. Food Service 
  4. Apparel Retailers 

70% of the companies directly supplied by Blue Yonder are located in the United States.  

“The ransomware attack on Blue Yonder highlights the heightened seasonality of cyber attacks during the holiday season. Lurking beneath the surface of even isolated attacks like Finastra, there is hidden, expansive risk exposure across the extended supply chain. Over 3.5 million businesses are at risk from this one attack: beyond thousands of direct customers of Blue Yonder, 800,000 suppliers to these companies and an additional 2.7 million that supply those suppliers are all within the blast radius of the attack.

Without visibility and monitoring, the supply chain is the snake in the grass for exposing your business to serious risk.”   

 – Ted Krantz, CEO of interos.ai, the AI-powered supply chain risk intelligence company   

According to Interos data, of these 3.5 million companies across Tier 1, Tier 2, and Tier 3, over 36% of them are in the United States, but potential disruptions could reach much farther than that.  

These 3.5 million distinct companies represent over 40 million customer relationships between buyers and suppliers.  

Almost 9% of the companies are located in India, 8% in the United Kingdom, and 4% in Germany.  

The top five potentially exposed industries among these companies include:   

  1. Business Management Services  
  2. Software and IT Services  
  3. Consumer Goods  
  4. Architectural, Engineering, and Design Services  
  5. Building and Civil Engineering Construction 

Finastra Breach: Could Impact Up to 3.4 Million Companies  

Interos tracked the Finastra breach and identified that over 25% of the world’s 100 largest banks are directly supplied by the compromised company.  

This analysis surfaced hundreds of banking and financial services companies that could be directly impacted by the Finastra breach, including private banks, national banks, and even international development banks. 

When analyzing the extended impact, the number of potentially disrupted companies skyrockets.  

Across Tier 1, Tier 2, and Tier 3 of Finastra’s downstream supply chain, Interos identified over 3.4 million distinct companies that could be impacted directly or indirectly by the Finastra breach through supplier-customer relationships. 

Interos also identified over 778,000 companies that are supplied by one of Finastra’s direct customers (Tier 2), and over 2.6 million companies supplied by those companies (Tier 3). 

Cyber Seasonality: End-Of-Year Holidays Spike in Cyber Attacks 

Unfortunately, there is traditionally an end-of-year holidays’ spike across a wide range of malicious cyber activity.  

The Cybersecurity and Infrastructure Agency (CISA) recently released tips exactly for this reason and to help individuals and companies stay safe online during the holiday season.  

From email scams to social media supply chain attacks, it’s important to understand the threat landscape and be cyber secure and aware of the risks. 

For businesses, these attacks could be devasting and far-reaching – to the tune of $100 million.  

Interos’ data shows ongoing supply chain disruptions cost enterprises $100 million in annual losses on average. 

Before disaster hits, Interos’s critical risk intelligence platform helps companies mitigate the financial impacts of multi-tier risks like cyber attacks by continuously mapping and monitoring extended supply chains at speed and scale. 

Learn how you defend against digital threats. Speak to an expert today. 

 

 

It’s That Time of Year Again: US Government Releases New Restrictions List

Authors: Andrea Little Limbago, PhD, SVP, Applied AI and Mackenzie Clark, Senior Computational Social Scientist 

Annual Tradition: End of Year Sanctions and Restrictions 

Last week’s release of UFLPA and OFAC restrictions follows a recent trend where widespread export controls are released en masse prior to the new year.  

For instance, in December 2023, the Departments of Treasury and State issued sweeping sanctions targeting Russia’s energy production and export capacity. This was followed a few weeks later by an Executive Order (E.O. 14114) that issued another round of sanctions against financial institutions supporting Russia’s military-industrial base. It was also preceded by two different rounds of Russia-related sanctions on December 1 and November 16. 

Similarly, in December 2022, Treasury issued several sanctions targeting Russia’s financial sector, very much in alignment with those issued last Thursday. This continued the trend from December 2021, when Treasury issued distinct sanctions targeting Belarus and entities associated with human rights abuses.  

The UFLPA also made some end of year additions in 2023, although those were much fewer than the 29 companies added last week, which increased the overall entity list to over 100 Chinese companies connected to forced labor.  

We recently covered two of the latest additions and the potential impact it could reap on global steel and aspartame (a sugar substitute) supply chains (spoiler: tens of millions of companies could be impacted).  

If the past week is any indication of what is to come, organizations should expect more restrictions to follow the path of the recent updates focused on Russian financial institutions and human rights abuses.  

 

The following analysis will answer:  

  • How far do the OFAC and UFLPA-sanctioned companies reach globally?  
  • Which industries are most at risk for potential future sanctions?  
  • How do you react to these and prepare for future sanctions?  

The Latest Round of OFAC Restrictions on Banks and Financial Services in Russia: Who is Impacted? 

The latest sanctions announcements from the United States Department of the Treasury and Department of Homeland Security target a wide array of companies in Russia and China. The extended impact of these restrictions, however, have the potential to cascade to companies across the globe. 

On November 21, the addition of Gazprombank — and almost 100 other international subsidiaries and affiliates — to OFAC’s Specially Designated Nationals (SDN) List marked the designation of “Russia’s largest remaining non-designated bank.”  

With Russia’s largest financial institutions sanctioned by not only the United States, but other major countries such as Canada and the United Kingdom, it is important to understand where the risk of exposure to these sanctioned banks may still exist. 

Using Interos data, we analyzed the extended supply chains of Gazprombank, VTB Bank, and Sberbank and identified over 7,500 companies across three tiers of supplier relationships that are either directly or indirectly supplied by one of the banks.  

These numbers are relatively low compared to other supply chain propagation, likely due to decreasing integration of Russian banks with the Western economies since the invasion of Ukraine.  

Nevertheless, the scale is by no means trivial and indicates the stickiness of these relationships. 

Of the potentially exposed companies with supplier-buyer relationships linked to the new sanctioned entities, almost 60% of them are located either in the United States or the United Kingdom.  

When leveraging Interos’ Industry Categories designations, we identified the top three sectors represented across the sanctioned companies as Software and IT Services, Banking and Financial Services, and Business Management Services.  

29 Million Companies Could Face Fines from UFLPA Entity List Additions: Agricultural Products, Metals, and Polysilicon in China  

Just one day after the new restrictions targeting the Russian banking industry, 29 new companies were added to the Uyghur Forced Labor Prevention Act (UFLPA) Entity List, bringing the total number of companies on the list to over 100.  

This action primarily targeted companies that produce agricultural goods, specifically tomato paste and tomato products, walnuts, red dates and raisins. Other newly restricted companies include exporters of materials and products derived from aluminum, nonferrous metals, and polysilicon. 

Interos conducted an analysis on the extended supply chain of these companies and identified over 29 million companies across three tiers of supplier relationships that are either directly or indirectly supplied by one of the newly restricted UFLPA entities.  

These companies could be subject to UFLPA fines.  

Again, most of the companies that could be impacted — over 34% of them — are located in the United States, followed by the United Kingdom (9%), India (8%), Germany (4%), and Italy (3%) – and thus could be subject to UFLPA fines. 

Leveraging Interos’s Industry Categories reveal the top three sectors among this group of exposed companies include Business Management Services, Software and IT Services, and Consumer Goods.  

These two scenarios, while distinct, highlight the importance of continuously monitoring suppliers of both services and physical goods to avoid potential fines, seizure of imports and reputational damage.  

Which Industries are Most at Risk Looking Ahead? 

Given the ongoing implementation of export controls and industrial policy, organizations should plan for future additions to these and dozens of other restrictions lists. Fortunately, there are a few insights to help look ahead and begin de-risking from future regulatory risks. 

For instance, in September, the Department of Commerce’s Bureau of Industry and Security (BIS) introduced worldwide export controls on critical technologies.  

These include: additive manufacturing items, advanced semiconductor manufacturing equipment, quantum computing items, and gate all-around field-effect transistor (GAAFET) technology.  

A presumption of denial affects countries deemed a national security concern, including Armenia, Belarus, Cuba, Iraq, North Korea and Russia.  

Companies in these industries, as well as other critical and emerging technology industries, and from those countries are at immediate regulatory risk. 

Similarly, BIS also has a high priority list focused on Russian products believed to fuel Russia’s military-industrial complex.  

Companies associated with these products, as well as those across a wide range of critical technologies, are much more likely to appear on a restrictions list in the future than those in other product or industry categories. 

Monitoring Risk Exposure with Risk Intelligence Data 

Geography is another means for assessing future restrictions risk.  

In addition to companies in those countries, the BIS Country Groups D and E, companies located in – or have a supply chain connection to – the XUAR are also at significantly greater risk of future restrictions inclusion.  

Using Interos data, we identified over 231,000 other companies located in XUAR that may pose future compliance risks in global supply chains.  

When analyzing three tiers of supplier relationships for these companies, Interos data shows the following industries at the highest risk for potential disruptions if restrictions on XUAR companies continue to expand.  

These are the industries with the greatest frequency across companies in XUAR:  

  1. Business Management Services  
  2. Software and IT Services 
  3. Consumer Goods 
  4. Architectural, Engineering, and Design Services 
  5. Building and Civil Engineering Construction  

In short, last week’s additions to the OFAC and UFLPA restrictions lists are consistent with regulatory updates from the past few years.  

Moreover, by leveraging industry, product, and geographic risk management information, organizations can be more proactive in preparing for export controls against companies that meet those criteria listed above.  

Product and industry categories not only provide value for proactively addressing restrictions risk, but also have several other benefits, such as benchmarking and product tracing throughout supply chains.  

Keep an eye out for a forthcoming blog that will detail these new features and how they impact the full lifecycle of supply chain intelligence. 

Have questions today?  Speak to an Expert.  

The Race Is on to Shape AI Governance and Security

Author: Andrea Little Limbago, PhD, SVP, Applied AI  

The Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (EO 14110) was released one year ago. The recent Memorandum on AI builds upon the executive order and focuses on the national security implications of AI, including innovation and leadership within a secure AI framework. At Interos, we take AI very seriously, from building a secure AI framework to launching new AI products, AI is the center point in everything we do. 

Artificial Intelligence: The Stakes Could Not be Higher 

As the Memorandum details, the timing is critical, as the world undergoes a massive paradigm shift with technological transitions accompanied by global geopolitical shifts.   

In the big race to integrate AI, organizations must understand that along with the enormous innovation potential, security and geopolitical considerations cannot be an afterthought 

This Memorandum aims to catalyze change toward a Secure AI framework that supports innovation and leadership, while protecting against adversarial misuse and harm. The stakes could not be higher. 

What’s at Stake: Innovation, Economic Growth and Democracy or Authoritarianism and Suppression 

Amidst the ongoing AI hype cycle and trillions in investments, it may be easy to forget that AI – like most technologies – is dual-use in nature.  

That is, AI can foster innovations and significant breakthroughs, while also enabling more nefarious intentions. As the Memorandum articulates, AI is powering authoritarianism, including malicious cyber behavior, censorship and human rights violations. China is emerging as an ‘AI-tocracy’, using the technology to suppress dissent and entrench regime power. Russia’s notorious bot farms are powered by AI to spread disinformation globally. Iran is similarly deploying AI for influence operations, as well as domestic surveillance and human rights violations. 

But AI is also a tool to counter digital authoritarianism. Across the globe, AI is used to pursue democratic values, including empowering political communication, circumventing authoritarian regimes, and heightening defenses against malicious cyber activity. These are just a few examples to underscore the national security imperative detailed in the Memorandum.  

The global leader in AI governance will play a critical role in tilting the balance of AI applications toward innovation, economic growth, and democracy, or toward authoritarianism and suppression. 

The AI First-Mover Advantage 

Strategic competition is front and center throughout the recent Memorandum 

Technology does not exist in a vacuum; the current geopolitical shifts and spread of digital authoritarianism elevate the necessity for the United States to expand its technological edge in this era-defining technology 

Implicit within the Memorandum is that the international order is at an inflection point; the future will not look like the past.  

In these situations, first-mover advantage is critical as countries that have garnered the power of breakthrough general purpose technologies gain hegemonic influence in shaping the global order to their advantage. 

While the AI technological edge is critical to this, AI governance leadership too often takes a backseat to it. Leadership in AI governance is critical to gaining the first-mover advantage.  

Currently, the European Union (EU)’s AI Act is the first major imitative to introduce AI regulations and guardrails. China has also introduced several rules targeting AI, such as the use of generative AI quickly following the release of ChatGPT, but it has yet to formulate a comprehensive AI regulation.  

While the US has non-binding AI governance guidelines, such as EO 14110, a comprehensive federal AI regulation does not yet exist. To fill this void, in the 2024 legislative session, 45 states introduced AI legislation, and 31 adopted resolutions or passed legislation.  

Last week’s Memorandum clearly identifies the stakes at play, and continues the drumbeat of AI guidance, including the 2022 Blueprint for an AI Bill of Rights 

The US private sector is moving ahead absent a federal framework, introducing AI governance policies at a faster pace than the public sector. The race is on to shape AI governance, and the Memorandum outlines the national security implications for the US to lead this effort, and a partnership across the public and private sectors is critical to solidifying this edge. 

Partnership and Collaboration: Protecting the AI Supply Chain 

The Memorandum details a whole-of-society approach toward AI. Specifically, the Memorandum contends, “If the United States Government does not act with responsible speed and in partnership with industry, civil society, and academia to make use of AI capabilities in service of the national security mission — and to ensure the safety, security, and trustworthiness of American AI innovation writ large — it risks losing ground to strategic competitors.” 

This partnership is critical. While the Memorandum aims to ‘catalyze change’ in how the US government addresses AI national security policy, a similar revolution is necessary in how industry, civil society, and academia approach AI.

Several critical components of the Memorandum directly impact the private sector, such as building and retaining top AI workforce talent, defending against foreign interference and cyber threats, and integrating secure AI in critical infrastructure. 

Interos similarly advocates for a Secure AI framework; supply chains and national security are intricately intertwined. This has been made very clear with the Hezbollah device attacks, which marked an inflection point in modern warfare. 

According to Interos data, the average enterprise in the S&P 500 has 1,700 direct suppliers and 1.5 million relationships through its first 3 tiers of suppliers. 99% of those companies have ties with at-risk or restricted entities. While the Hezbollah device attacks were not via a restricted company, those technology companies on restricted lists represent a more probable pathway to hardware infiltration and warrant heightened alert – illustrating the widespread vulnerabilities that could be within an organization’s supply chain.  

Interos works closely with our customers, supporting their AI governance frameworks and serving as strategic partners to guide AI governance decisions. Secure AI is front in center of our development decisions as well, understanding that different forms of AI introduce different risks, and taking those into account to optimize the implementation of AI coupled with security. 

From jailbreaking to data poisoning to algorithmic manipulation, just as supply chains must be secured, so too must the AI supply chain be protected across inputs to algorithms to outputs 

Innovation and security must go hand in hand to truly leverage the vast potential of AI, while protecting ourselves and our supply chains from the growing range of national security risks. 

Toward a Secure AI Framework 

AI is an era-defining technology. Authoritarian regimes and adversaries are adopting AI at a rapid pace, introducing significant national security threats, including military advantage, global influence, and technological advantage. US leadership is necessary to tip the AI balance toward scientific breakthroughs that support humanity, protect democracy, and empower innovation.  

In the race toward AI adoption, security must be at the forefront, not an afterthought.  

The world is changing fast; previous paradigms are ill-prepared for ensuring the safety, security, and trustworthiness of our organizations, and our supply chains. AI is both the means toward achieving greater national security, but also poses a great threat if we fail to prepare for its malicious use.  

Even without malicious intent, AI systems require greater protection. The latest Memorandum is another critical step toward advancing US leadership in AI, but more is needed.  

The public and private sectors alike must internalize the national security imperative at stake or risk ceding this once-in-a-generation technology to the competition.  

AI-Powered Supply Chain Risk Management  

At Interos, we take AI very seriously. As a global leader in AI-powered supply chain risk intelligence, we are leveraging the power of AI to revolutionize supply chain resilience at a time when global disruptions are at an all-time high.  

We recently launched our latest AI innovation, “Ask Interos” that enables organizations to identify supplier threats in real time.  It is our first step towards contextual AI. The launch comes at a crucial time when organizations are inundated with data yet struggle to separate complex supply chain noise from actionable insights. 

Get in touch to see how we are using AI to secure supply chains in real time.