US President Joe Biden ordered US intelligence agencies to investigate a massive ransomware attack that affected more than 200 American companies and brought operations to a halt in other countries.
Hackers, believed to be the Russia-linked REvil gang which was also blamed for last month’s attack on meat suppliers JBS, hijacked a widely-used technology management software from Kaseya, which has headquarters in Dublin and Miami. They changed a tool called VSA, used by companies that manage technology at smaller businesses, then encrypted the files of those providers’ customers.
ALSO READ: World’s largest meat supplier falls prey to ransomware attack
The effects were felt outside the US as well, with grocery chain Coop’s 800 stores unable to open in Sweden because cash registers weren’t working. State railways and a major pharmacy chain were also affected.
“Kaseya handles large enterprise all the way to small businesses globally, so ultimately, (this) has the potential to spread to any size or scale business,” tweeted John Hammond of the security firm Huntress Labs. “This is a colossal and devastating supply chain attack.”
Kaseya’s VSA tool is used by more than 200 customers, and they were subsequently encrypted by ransomware.
The tool is widely used by managed service providers, which typically handle technology for dozens of smaller companies that may not have resources to staff in-house technology teams. Corporate and government tech groups also use the tool.
Deactivating VSA is critical, Kaseya warned in a notice on its support website, “because one of the first things the attacker does is shut off administrative access to the VSA.”
In May, Colonial Pipelines paid USD4 million after its systems were affected, and Brazilian meat company JBS paid nearly USD11 million last month.
In Michigan, Biden said “we’re not certain who is behind this attack” when asked about Russian involvement.
The President said he had directed US intelligence agencies to investigate, and the US would respond if it determined Russia was to blame. At a summit in Geneva on 16 June, Biden urged Vladimir Putin to crack down on hackers from Russia and warned of consequences if ransomware attacks continued.
Kaseya’s chief executive, Fred Voccola, said the company believed it had identified the source of the vulnerability and would “release that patch as quickly as possible to get our customers back up and running”.
Voccola said the problem was only affecting on-premise customers, organisations running their own data centers. It was not affecting cloud-based services running software for customers, though Kaseya had shut down those servers as a precaution.
The US Cybersecurity and Infrastructure Security Agency said it is “taking action to understand and address” the attack.
Eric Goldstein, CISA’s executive assistant director for cybersecurity, told CNBC: “CISA is closely monitoring this situation and we are working with the FBI to gather information about its impact.”
