President Biden Orders Investigation Into Kaseya Ransomware Attack
Ransomware attack on hundreds of American businesses over 4 July weekend prompts US investigation of possible Russian involvement
US President Joe Biden has ordered US intelligence agencies to investigate a sophisticated ransomware attack that has impacted hundreds of US businesses.
The supply chain attack, carried out on Friday at the beginning of the 4 July weekend in the United States, targetted software from Miami-based software firm Kaseya, which is used by thousands of businesses in the US and around the world.
The hackers essentially hijacked a tool called VSA, which is used by companies that manage technology at smaller businesses, then encrypted the files of those customers, the Guardian reported.
Russian involvement?
The hackers attack on Kaseya was so far reaching that in Sweden for example, most of the grocery chain Coop’s 800 stores were unable to open because cash registers weren’t working. State railways and a major pharmacy chain were also affected.
“Kaseya’s VSA product has unfortunately been the victim of a sophisticated cyberattack,” the firm said in a statement on its website. “Due to our teams’ fast response, we believe that this has been localised to a very small number of on-premises customers only.”
“Our security, support, R&D, communications, and customer teams continue to work around the clock in all geographies to resolve the issue and restore our customers to service,” it added.
But the Guardian reported that on Saturday Joe Biden had directed US intelligence agencies to investigate the sophisticated ransomware attack, due to suspicions that a Russian gang was responsible for the hack.
On a visit to Michigan, Biden was asked about the hack.
The president said “we’re not certain” who is behind the attack.
“The initial thinking was it was not the Russian government but we’re not sure yet,” he reportedly said.
Biden said he had directed US intelligence agencies to investigate, and the US would respond if it determined Russia was to blame.
Security firm Huntress last week said it believed the Russia-linked REvil ransomware gang was to blame.
REvil was the gang blamed by the FBI last month for the ransomware attack on meat packer JBS.
Western patience
Western patience with Russia and its covert cyber activities is currently running very thin. As is patience with criminal gangs operating within Russian borders waging cyber attacks against Western nations.
Last week American and British cyber and intelligence agencies warned that Russian military hackers targetting both the United States and Europe.
The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation and the UK’s National Cyber Security Centre that since at least mid-2019 through early 2021, a group of hackers belonging to Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (military unit 26165) has been behind an ongoing brute force attack against hundreds of government and private sector targets worldwide.
The issue of Russia’s cyber activities was raised at the very highest levels.
US President Joe Biden and Russia’s President Vladimir Putin held a three hour face to face meeting in Geneva last month.
Biden and Putin spent much of that face-to-face meeting talking about cybersecurity issues, with Biden warning Putin of ‘retaliation’ if Russia attacks a list of 16 ‘critical’ facilities in America.
Soon after that, Russia’s Federal Security Service (FSB) head Alexander Bortnikov said that Russia would work together with the United States to locate cyber criminals.
Expert take
The Kaseya attack was drawn a reaction from the security industry as well.
“These so-called ‘supply chain attacks’ are the consequence of several diverse factors that have colluded to make a compromise of this kind almost inevitable,” said Charl van der Walt, head of security research at Orange Cyberdefense.
“One of these factors is ‘IT Interdependence’ – IT systems and the businesses that use them do not operate in isolation,” said van der Walt. “As a result, the impact of a breach or compromise is never restricted to the primary target alone.”
“We simply cannot afford to think of our own security as isolated or separate from the security of our technology product or service providers, or from the myriad of other business entities or government agencies we share technology with,” said van der Walt. “A shared dependency on core technologies, vendors, protocols or core Internet systems like DNS or CDNs bind businesses together just as tightly as fibre links and IP networks. Businesses in turn also bind together the suppliers who depend on them, the industries they belong to, the countries they operate in and, eventually, the entire global economy.”
Far reaching
Meanwhile another security expert said this supply chain hack was one of the most far reaching attacks that has ever been seen.
“This is one of the farthest reaching criminal ransomware attacks that Sophos has ever seen,” said Ross McKerchar, Sophos VP and Chief Information Security Officer.
“At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organisations.”
“We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company,” said McKerchar. “Victims span a range of worldwide locations with most in the United States, Germany and Canada, and others in Australia, the UK and other regions.”