Hackers began a global ransomware attack on Friday, hitting more than 1,000 companies, and forcing Sweden’s Coop grocery chain to close hundreds of stores.
In what appears to be one of the largest supply chain attacks to date, hackers compromised Kaseya, an information technology management software supplier, in order to spread ransomware to the managed service providers that use its technology, as well as to their clients in turn.
Cyber security group Huntress Labs said on Saturday that it had identified 20 compromised managed service providers, with more than 1,000 of its clients falling victim to ransomware attacks — where data is encrypted by hackers and only released if a ransom is paid.
Among them, Coop in Sweden said it had closed all but five of its 800 stores on Saturday, after the attack meant its cash register system and self-service checkouts had stopped working. Coop was affected after its managed service provider Vissma Escom was hit, it said.
Huntress attributed the attacks to REvil, the notorious Russia-linked ransomware cartel that the FBI claimed was behind recent crippling attack on beef supplier JBS.
During a trip to Michigan on Saturday, Joe Biden said he had been briefed on the attacks and ordered US intelligence agencies to investigate who was behind them but there was not indication so far that they were state sponsored. “The initial thinking was it was not the Russian government, but we’re not sure yet,” the US president said.
The incident is the latest example of hackers weaponising the IT supply chain in order to attack victims at scale, by breaching just one provider. Last year it emerged that Russian state-backed hackers had hijacked the SolarWinds IT software group in order to penetrate the email networks of US federal agencies and corporations.
Kaseya said in a blog post that it had been the victim of a “sophisticated cyber attack” and that around 40 of its direct 36,000 customers had been affected. It urged those using the compromised “VSA server” tool, which provides remote monitoring and patching capabilities, to shut it down immediately.
“We have been advised by our outside experts, that customers who experienced ransomware and receive communication from the attackers should not click on any links — they may be weaponised,” it said.
“We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it for our on-premises customers that will be tested thoroughly,” the company added.
Allan Liska of Recorded Future’s computer security incident response team said that the clients of managed service providers tended to be small and medium size companies seeking IT support, with the attacks highlight the risks of relying on centralised third parties.
“We’ve essentially handed over too much trust so that if something happens to them, it becomes a catastrophic event for your organisation through no fault of your own,” he said.
In an alert on Friday, the Cybersecurity and Infrastructure Security Agency said that it was “taking action to understand and address the recent supply-chain ransomware attack”.
The campaign is the latest in a series of audacious ransomware attacks this year, including one on America’s Colonial Pipeline, which have prompted pledges from the Biden administration to crack down on perpetrators.
At last month’s Geneva summit, president Joe Biden urged Russian president Vladimir Putin to rein in ransomware hackers, many of which are believed to operate with impunity in the country.
Additional reporting by Lauren Fedor in Washington