Washington (AP) – In the most recent attack with blackmail software, hackers targeted hundreds of companies in one fell swoop.
They used a vulnerability at the American IT service provider Kaseya to attack its customers with a program that encrypts data and demands a ransom. The consequences could be felt as far as Sweden, where the supermarket chain Coop had to close almost all stores. The full extent of the damage is still unclear. The IT security company Huntress spoke of more than 1000 companies in which systems had been encrypted.
An affected IT service provider from Germany also reported to the Federal Office for Information Security (BSI). Its customers have been affected, said a BSI spokesman. There are several thousand computers in several companies. It cannot be ruled out that other companies noticed problems with the start of the working week on Monday.
Biden orders investigation
US President Joe Biden ordered an investigation into the attack by the secret services. “The first impression was that the Russian government was not behind it – but we are not sure yet,” said Biden after questions from reporters on Saturday. IT security experts assigned the attack to the REvil hacker group, which is located in Russia, using the software code.
A few weeks ago, REvil was behind the attack on the world’s largest meat company JBS, which had to close plants for several days, including in the USA. At their meeting in Geneva in June, Biden urged Russian President Vladimir Putin not to tolerate any activities by hacker groups and threatened the consequences of further attacks.
Around 40 companies are affected
Kaseya announced over the weekend that fewer than 40 customers were affected. However, these also included service providers who in turn have several customers. This is also how the Swedish co-op chain was hit, where the checkout systems no longer worked. Only 5 of the over 800 stores – and the online shop – remained open.
In any case, the damage could have been far greater: Kaseya has a total of more than 36,000 customers. With the help of the Kaseya program VSA, companies manage software updates in computer systems. An intrusion into the VSA software can open many doors for the attacker at once. Kaseya stopped its cloud service on Friday and warned customers to shut down their locally running VSA systems immediately. According to the company, customers of the cloud service were never in danger – and all the companies affected resorted to local VSA installations.
Operator claims to have found the weak point
Kaseya is confident that it has found the vulnerability if it wants to close it soon and restart the systems after a security test, it said. On Saturday, another customer joined the list of victims who had not switched off his locally running VSA system.
Attacks with blackmail software had recently made repeated headlines. Just before the JBS case, an attack of this type halted the operation of one of the largest gasoline pipelines in the United States and temporarily cut fuel supplies in the country. It brings money for the hackers: JBS paid the attackers the equivalent of eleven million dollars in crypto currencies, the pipeline operator Colonial paid 4.4 million dollars. However, a little later, investigators were able to confiscate a good half of the colonial ransom.
It is also the second attack that became known within a few months in which hackers were able to break into the systems of its customers via an IT service provider. Using maintenance software from Solarwinds, attackers were believed to have entered the computer networks of US government agencies, including those of the Department of Finance and Energy, for espionage purposes.
Increased attacks with blackmail Trojans
Attacks with blackmail Trojans have made headlines several times in the past few years. In May 2017, the “WannaCry” blackmail Trojan paralyzed the computers of many private individuals, including computers in British hospitals and Deutsche Bahn timetable displays. A few weeks later, the ransom software “NotPetya” hit the Maersk shipping company and the Nivea manufacturer Beiersdorf, among others.
One of the reasons why these attacks spread so quickly at the time was that computers with older Windows systems and security loopholes that had not been closed were easy targets for them. They were therefore seen as a wake-up call for more IT security. However, there have now been several successful attacks with ransom software.
BDI wants strategy against cyber attacks
The industry association BDI wants to better ward off cyber attacks with a “national economic protection strategy” by politics and business. “Never before has the German economy been attacked as severely as it is today,” said BDI security expert Matthias Wachter of “Welt am Sonntag”. The number of attacks increased in the corona pandemic because companies working from home are even more vulnerable. The Federal Office for Information Security said: “The threat situation is still very tense and has been exacerbated again by the pandemic.”
Mikko Hyppönen from the IT security company F-Secure attributes this, among other things, to the fact that the attack surface is becoming ever larger with digital change in all industries. “We bring everything online.” It will take some time before this general movement into the Internet is adequately secured: “I don’t think we’ve seen the worst.”
Raj Samani from the IT security company McAfee also sees the problem in the fact that an entire industry has now formed on the Internet in which attacks with blackmail software are offered to interested parties as a payment service. “There are criminal groups who are out to squeeze out as much ransom as possible.” At the same time, he showed understanding for companies that in the end, contrary to the recommendations of authorities and experts, pay the hackers money because they are afraid for their business.