In the latest attack with blackmail software, hackers targeted hundreds of companies in one fell swoop. They used a vulnerability at the American IT service provider Kaseya to attack its customers with a program that encrypts data and demands a ransom. The consequences could be felt as far as Sweden, where the supermarket chain Coop had to close almost all stores. The full extent of the damage initially remained unclear.
An affected IT service provider from Germany also reported to the Federal Office for Information Security (BSI). Its customers have been affected, said a BSI spokesman. There are several thousand computers in several companies. It cannot be ruled out that other companies noticed problems with the start of the working week on Monday.
Biden calls in intelligence services
US President Joe Biden ordered one Investigation of the attack by the secret services at. “The first impression was that the Russian government was not behind it, but we are not sure yet,” said Biden after questions from reporters on Saturday. IT security experts had assigned the attack based on the software code to the hacker group REvil, which is located in Russia.
A few weeks ago, REvil was behind the attack on the world’s largest meat company JBS, which had to close plants for several days, including in the USA. At their meeting in Geneva in June, Biden urged Russian President Vladimir Putin not to tolerate any activities by hacker groups and threatened the consequences of further attacks.
Kaseya announced over the weekend that fewer than 40 customers were affected. However, these also included service providers who in turn have several customers. This created a kind of domino effect. In this way, the Swedish co-op chain was hit across several stages, where the checkout systems no longer worked. Only 5 of the over 800 stores – and the online shop – remained open.
In any case, the damage could have been far greater: Kaseya has a total of more than 36,000 customers. With the help of the Kaseya VSA program, companies manage software updates in computer systems. An intrusion into the VSA software can open many doors for the attacker at once. The IT security company Huntress spoke of more than 1000 companies where systems have been encrypted.
Kaseya recommends shutdown
Kaseya stopped its cloud service on Friday and warned customers to shut down their locally running VSA systems immediately. According to the company, customers of the cloud service were never in danger – and all the companies affected resorted to local VSA installations.
Kaseya how confident of having found the vulnerability, they want to close soon and restart the systems after a security test, it said. On Saturday, another customer joined the list of victims who had not switched off his locally running VSA system.