Just weeks after US President Joe Biden implored Vladimir Putin to curb cyber crime, a notorious, Russia-linked ransomware gang has been accused of pulling off an audacious attack on the global software supply-chain.
REvil, the group blamed for the May 30 ransomware attack of meatpacking giant JBS, is believed to be behind hacks on at least 20 managed-service providers, which provide IT services to small and medium-sized businesses. More than 1,000 businesses have already been impacted, a figure that’s expected to grow, according to the cybersecurity firm Huntress Labs.
“Based on a combination of the service providers reaching out to us for assistance along with the comments we’re seeing in the thread we are tracking on our Reddit, it’s reasonable to think this could potentially be impacting thousands of small businesses,” according to John Hammond, a cybersecurity researcher at Huntress Labs.
We’re not sure it’s the Russians. The initial thinking was it was not Russian government, but we’re not sure yet.
— US President Joe Biden
Biden said he had ordered a “deep dive” by US intelligence officials on what happened in the attacks. At this point, he said “we’re not sure” that Russia is behind them.
“I directed the intelligence community to give me a deep dive on what’s happened and I’ll know better tomorrow,” Biden said, recalling that he told Putin during their meeting in June that the US would respond to cyber transgressions. He added that he hasn’t called the Russian president about the latest case.
“We’re not sure it’s the Russians,” he said. “The initial thinking was, it was not Russian government, but we’re not sure yet.”
Attacking MSPs is a particularly devious method of hacking, since it may allow the attackers to then infiltrate their customers as well. Hammond said more than 20 MSPs have been affected so far.
In Sweden, most of grocery chain Coop’s more than 800 stores couldn’t open on Saturday after the attack led to a malfunction of their cash registers.
There are victims in 17 countries so far, including the UK, SA, Canada, Argentina, Mexico and Spain, according to Aryeh Goretsky, a distinguished researcher at cybersecurity firm ESET.
The ransomware attack is the latest in a string of devastating hacks in recent months, making cybersecurity an increasingly pressing national security issue for the Biden administration. At a summit on June 16, Biden warned Putin that 16 types of critical infrastructure — including food and agriculture, emergency services and healthcare — were off limits to future attacks. It’s not yet known if the US victims of the latest ransomware attack fell within those sectors.
A software supply-chain attack revealed in December included nine US agencies and about 100 businesses as victims. Russian state-sponsored hackers were accused of the attack, in which hackers implanted malicious code in updates for popular software for SolarWinds. Customers who downloaded the updates inadvertently created a back door that the hackers could then exploit. It was particularly sophisticated and highlighted the terrifying potential of supply-chain hacks.
More recently, ransomware attacks on Colonial Pipeline, the operator of the US’s largest fuel pipeline, and JBS have revealed gaping security vulnerabilities in crucial US businesses. Both Colonial and JBS paid the hackers millions of dollars. The hackers behind the Colonial attack, a group called DarkSide, have also been tied to Russia.
Friday’s attack appears to combine a supply-chain attack with ransomware, vastly increasing the number of potential victims and, presumably, the payout. Ransomware is a type of attack in which hackers encrypt computer files and then demand payment to unlock them.
Among the companies targeted was Kaseya, a Miami-based developer of software for managed-service providers, as a way to attack its customers, according to cybersecurity experts.
“What makes this attack stand out is the trickle-down effect, from the managed service provider to the small business,” Hammond said. “Kaseya handles large enterprise all the way to small businesses globally, so ultimately it has the potential to spread to any size or scale business.”
In a statement, Kaseya said it had notified the FBI. The company said it had so far identified less than 40 customers that had been impacted by the attack.
Allan Liska, a senior threat analyst at cybersecurity firm Recorded Future, said REvil was behind the attacks.
Eric Goldstein, the executive assistant director for cybersecurity at the US Cybersecurity and Infrastructure Security Agency, said the group was closely monitoring this situation.
“We are working with Kaseya and coordinating with the FBI to conduct outreach to possibly impacted victims,” he said. “We encourage all who might be affected to employ the recommended mitigations and for users to follow Kaseya’s guidance to shut down VSA servers immediately. As always, we stand ready to assist any impacted entities.”
The affected MSPs include Synnex and Avtex, according to two people familiar with the breaches. Avtex president George Demou said on Friday night: “Hundreds of MSPs have been impacted by what appears to be a global supply chain hack.
“We are working with those customers who have been impacted to help them to recover.”
— Bloomberg News. More stories like this are available on bloomberg.com
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.