Hundreds of companies around the world, including one of Sweden’s largest grocery chains, battled potential cybersecurity vulnerabilities on Saturday after a software provider that provides services to more than 40,000 companies, Kaseya, said it was the victim of an “elaborate cyber attack”.
Security researchers said the attack could have been carried out by REvil, a Russian cybercriminal group that the FBI said was behind the hacking of the world’s largest meat processor, JBS, in May.
In Sweden, grocer Coop had to close at least 800 stores on Saturday, according to Sebastian Elfors, cybersecurity researcher at security company Yubico. Signs in front of the Coop branches rejected the customers: “We have had a major IT malfunction and our systems are not working.”
Mr Elfors said a Swedish railroad and a large chain of pharmacies were also affected by the attack on Kaseya. “It’s totally devastating,” he said.
When asked about the cyber attack after landing in Michigan on a trip to celebrate the withdrawal of Covid-19 in the United States on Saturday, President Biden said he was delayed getting off the plane because he was aware of the attack was informed. He said he directed “full federal government resources” to conduct an investigation. “The first thought was that it wasn’t the Russian government, but we’re not sure yet,” he said.
Victims of the security breach were hit by a Kaseya software update, said Kevin Beaumont, a threat researcher. Instead of getting the latest update from Kaseya, they got the ransomware from REvil. Kaseya was initially attacked with a previously unknown vulnerability in its systems – known as “zero day,” since software manufacturers have zero days to fix it when such vulnerabilities are discovered. In the meantime, cyber criminals and spies can use the vulnerability to wreak havoc.
Mr Beaumont said the attack marked a serious escalation in the tactics of ransomware gangs. In previous attacks, REvil was known to break in through a combination of phishing, stolen passwords, or a lack of multifactor authentication.
Dutch researchers said they reported the vulnerability to Kaseya, but the company was still working on a patch when it was breached and its software updates were compromised, according to people informed through the timeline.
The attack became public on Friday when Kaseya said it was investigating the possibility that he was the victim of a cyber attack. The company has requested customers using its VSA systems management platform to shut down their servers immediately to avoid the possibility of compromise by an attacker.
“We are witnessing a potential attack against the VSA that is limited to only a small number of on-premise customers,” Kaseya wrote on his website, referring to companies that keep their software in their own locations rather than in to accommodate a cloud provider. “We are in the process of investigating the cause of the incident with the utmost vigilance.”
Fred Voccola, CEO of Kaseya, said in a statement on Saturday that fewer than 40 customers were affected by the attack, but those customers include managed service providers, each of whom can provide dozens or even hundreds of security and technology tools Companies.
That made the attack worse, said John Hammond, a researcher at cybersecurity firm Huntress Labs.
“What makes this attack unique is the trickle-down effect, from managed service providers to small businesses,” said Hammond. “Kaseya handles large corporations to small businesses worldwide, so it ultimately has the potential to expand to companies of all sizes and sizes.”
Some of the affected companies have been asked for a $ 5 million ransom, Hammond said. Thousands of companies are at risk, he said.
The US agency for cybersecurity and infrastructure security described the incident on Friday in a statement on its website as a “supply chain ransomware attack”. It asked Kaseya’s customers to shut down their servers and said it was being investigated.
Hackers have carried out a number of prominent cyberattacks against US companies in the past few months, including JBS and Colonial Pipeline, which are hauling fuel along the east coast. Both were ransomware attacks in which hackers attempted to shut down systems until a ransom was paid. Video game company Electronic Arts was also recently hacked, but its data was not held for ransom.
Nicole Perlroth and David E. Sanger contributed to the coverage.