The US Cybersecurity and Infrastructure Security Agency (CISA) said on Friday evening it was “taking action to understand and address the recent supply-chain ransomware attack against Kaseya” and providers that employ their software.
Kaseya has taken their cloud service offline. It initially said 200 companies were affected, but later changed that to “a small number.” Neither the company nor CISA have said anything about how the hackers may have gained access.
John Hammond of the cybersecurity firm Huntress Labs said “thousands” of computers were affected. “We currently have three Huntress partners who are impacted with roughly 200 businesses that have been encrypted,” he said, calling it a “colossal and devastating supply chain attack.”
Brett Callow, a ransomware expert at Emsisoft, told AP he was unaware of any previous ransomware attacks on the supply chain on this scale, calling it “SolarWinds with ransomware.”
While the US government has blamed last year’s SolarWinds breach on Russia – Moscow has denied any involvement, calling the insinuations “absurd” and “pathetic” – the Kaseya hack seemed to be the work of REvil, a group many US researchers have described as “Russian-speaking.”
“Based on everything we are seeing right now, we strongly believe this (is) REvil/Sodinikibi,” said Hammond of Huntress Labs.
REvil is a criminal syndicate the FBI blamed for the May ransomware attack on JBS, the Brazilian-based meat-packing conglomerate, which disrupted meat processing and deliveries in the US, Canada and Australia. JBS admitted on June 10 that it had paid a $11 million ransom to the hackers in order to restore operations and prevent future disruptions.
While the White House did not blame Russia for the JBS attack, White House Press Secretary Jen Psaki said that “responsible states do not harbour ransomware criminals” after the FBI pointed to REvil as the likely culprit behind the breach.
Cyber-sleuths also don’t believe the timing of the reported Kaseya hack was an accident. It came as the US was gearing up for a three-day weekend to celebrate the Independence Day holiday, and many companies as well as government agencies were closing up shop early.
“There’s zero doubt in my mind that the timing here was intentional,” Jake Williams of Rendition Infosec told AP.
Washington has repeatedly accused Moscow of either orchestrating cyberattacks on US infrastructure or “harboring criminal entities” that do so. Last month’s summit between US President Joe Biden and Russian President Vladimir Putin in Geneva prominently featured a discussion on hacking.
On Friday morning, the Russian embassy in Washington issued a statement noting that “constant attacks on critical infrastructure in Russia” are coming from US soil, and expressed hope the Americans would “abandon the practice of unfounded accusations and focus on professional work with Russian experts to strengthen international information security.”
Think your friends would be interested? Share this story!
© 2021, paradox. All rights reserved.