Joe Biden said on Saturday that he had directed US intelligence agencies to investigate a sophisticated ransomware attack that affected hundreds of US companies as the July 4 holiday weekend began and raised suspicions of involvement in Russian gangs.
Huntress, a security company, said on Friday that it believed the Russian-linked REvil ransomware gang was the culprit. Last month, the FBI blamed the same group for paralyzing meatpacker JBS.
Active since April 2019, REvil develops software that paralyzes the network and rents it out to so-called affiliates who infect targets and win most of the ransoms. JBS, a Brazilian-based meat company, said it had paid the equivalent of a $ 11 million ransom, increasing requests from US law enforcement agencies to bring those groups to justice.
On a visit to Michigan, Biden was asked about the trick while shopping for cakes in a cherry orchard. The president said “we are not sure” who is behind the attack.
“The initial idea was that it was not the Russian government, but we are not sure yet,” he said.
Biden said he had ordered US intelligence agencies to investigate, and that the United States would respond if it found Russia to be the culprit. At a summit in Geneva on June 16, Biden urged Vladimir Putin to crack down on Russian hackers and warned of the consequences if ransomware attacks continued.
The hackers who attacked on Friday hijacked widely used technology management software from a vendor, Kaseya, which is headquartered in Dublin and Miami. They changed a tool called VSA, used by companies managing technology in smaller companies, and then encrypted the files of those vendors’ customers.
Kaseya said he was investigating a “potential attack” on the VSA, which is used by IT professionals to manage servers, desktops, network devices and printers. Huntress said it was tracking eight managed service providers that had been used to infect about 200 clients.
The effects were felt internationally. In Sweden, most of the 800 stores in the Coop supermarket chain were unable to open because the cash registers were not working, according to the public broadcaster. State railroads and a major pharmacy chain were also affected.
“This is a colossal and devastating attack on the supply chain,” said John Hammond, senior security researcher at Huntress, referring to an increasingly prominent technique of hijacking a piece of software to compromise hundreds or thousands of users.
Kaseya CEO Fred Voccola said the company believed it had identified the source of the vulnerability and would “release that patch as quickly as possible to get our customers back up and running.”
Voccola said that fewer than 40 Kaseya customers were known to be affected, but that the ransomware could be affecting hundreds of companies that depend on Kaseya customers.
Voccola said the problem only affected “on-premises” customers, organizations that have their own data centers. It was not affecting cloud-based services that run software for clients, although Kaseya had shut down those servers as a precaution, he said.
The company said that “customers who experienced ransomware and receive a communication from the attackers should not click on any links as they may be armed.”
A Gartner analyst, Katell Thielemann, said it was clear that Kaseya “reacted very cautiously. But the reality of this event is that it was designed for maximum impact, combining a supply chain attack with a ransomware attack. “
To complicate the answer, the attack occurred at the beginning of a major holiday in the US, when most corporate IT teams are under-staffed. That could leave organizations unable to address other security vulnerabilities, such as a dangerous Microsoft bug affecting print job software, said James Shank, a threat intelligence analyst.
“Kaseya’s clients are in the worst possible situation,” Shank said. “They are racing against time to get updates on other critical bugs.”
Shank said “it’s reasonable to think the timing was planned” for the holidays.
The US Cybersecurity and Infrastructure Security Agency (Cisa) said it was “taking steps to understand and address the recent supply chain ransomware attack.” Such attacks have been placed at the top of the cybersecurity agenda after the United States accused the hackers of operating under the direction of the Russian government and tampering with a network monitoring tool built by a Texas software company, SolarWinds.
On Thursday, US and British authorities said that Russian spies accused of interfering in the 2016 US elections had spent much of the past two years abusing virtual private networks (VPNs) to attack organizations around the world. The Russian embassy in Washington denied the accusation.