Hackers have targeted hundreds of companies in one fell swoop in the latest attack using exploit software. They exploited a vulnerability at the American IT service provider Kaseya to attack its customers with a program that encrypts data and demands loose money. The consequences were felt as far away as Sweden, where the supermarket chain Coop had to close almost all its stores. The full extent of the damage remained unclear at first.
An affected IT service provider from Germany also reported to the Federal Office for Information Security (BSI). Its customers have been affected, said a BSI spokesman. It concerns several thousand computers at several companies. It is not ruled out that on Monday other companies will encounter problems at the beginning of the working week.
Biden involves intelligence agencies
US President Joe Biden ordered an investigation into the attack by the intelligence agencies. "The first impression was that the Russian government was not behind it, but we are not sure yet", Biden said after questions from reporters on Saturday. IT security experts had assigned the attack to the hacker group REvil, which is located in Russia, based on the software code.
REvil was behind the attack on global meat company JBS a few weeks ago, which forced it to close plants in the U.S. and elsewhere for several days. Biden had urged Russian President Vladimir Putin at their meeting in Geneva in June to also not tolerate any activities of hacker groups and threatened with consequences for further attacks.
Kaseya said over the weekend that, based on what it knows so far, fewer than 40 customers were affected. However, among them were again service providers, which in turn have several customers. This created a kind of domino effect. In the same way, the Swedish Coop chain, where the checkout systems no longer functioned, was affected in several stages. Only 5 of the 800 stores – and the online store – remained open.
In any case, the damage could have been far more severe: Kaseya has a total of more than 36.000 customers. Using Kaseya’s VSA program, companies manage software updates in computer systems. So an intrusion into the VSA software can open many doors at once for attackers. IT security firm Huntress said more than 1000 companies have had systems encrypted.
Kaseya recommends shutdown
Kaseya halted its cloud service on Friday and warned customers to immediately turn off their locally running VSA systems as well. The company said customers of the cloud service were not at risk at any time – and all affected companies were reverting to local VSA installations.
Kaseya is confident that it has found the vulnerability and intends to close it and restart the systems after a security test, it said. On Saturday, another customer was added to the list of victims who had not shut down their locally running VSA system.