Businesses scrambled on July 3 to respond to a ransomware attack on an American IT provider that cybersecurity experts believe was carried out by Russian criminal hackers.
Thousands of businesses around the world may be impacted by the cyberattack, according to a cybersecurity researcher whose company is responding to the incident.
The cyberattack hijacked widely used technology management software from the U.S.-based company Kaseya on July 2.
One of Sweden's biggest grocery chains, Coop, said its 800 stores were closed because a remote tool used for its cash registers was impacted, meaning payments can't be taken. Swedish State Railways and a major local pharmacy chain were also affected.
The Swedish news agency TT said Kaseya’s technology was used by Swedish company Visma Esscom, which manages servers and devices for a number of Swedish businesses.
Swedish Defense Minister Peter Hultqvist told Swedish Television the attack showed how businesses and government need to boost preparedness.
"In a different geopolitical situation, it may be government actors who attack us in this way in order to shut down society and create chaos," he said.
Kaseya urged customers in a statement on July 2 to immediately shut down servers running the affected software and confirmed that it had shut down some of its servers.
Kaseya said the attack was limited to a "small percentage" of its customers, estimated at 40 worldwide. It said it was working closely with a few security firms and U.S. government agencies.
But the ransomware could still be affecting many more companies that rely on Kaseya's clients that provide broader IT services.
A cybersecurity researcher with Huntress Labs security firm responding to the incident said “it's reasonable to think this could potentially be impacting thousands of small businesses.”
John Hamman of Huntress said on Twitter that the criminals used Kaseya’s network management package as a conduit to spread ransomware through cloud service providers.
Hammond said that the REvil/Sodinikibi gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack.
"Based on everything we are seeing right now, we strongly believe this (is) REvil/Sodinikibi," Hammond said.
The FBI linked REvil to a ransomware attack in May on JBS, a major global meat processer. Ransomware attacks render their victims' data unusable by encrypting it until the victims pay off attackers.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is closely monitoring this situation and is working with the FBI to gather information about the impact of the incident, the agency said in an e-mail to RFE/RL.
"We encourage all who might be affected to employ the recommended mitigations and for users to follow Kaseya's guidance to shut down VSA servers immediately," said Eric Goldstein, executive assistant director for cybersecurity at the Department of Homeland Security.
VSA is the company's flagship offering and is designed to let companies manage networks of computers and printers from a single point.
The latest cyberattack comes as CISA and the U.S. National Security Agency (NSA) posted an advisory on July 1, detailing how U.S. and British security agencies have exposed "brute force" methods they say have been used by Russia's GRU military-intelligence agency to conduct malicious cyberactivities against hundreds of government and private organizations.
The advisory described cyberattacks carried out by operatives of the GRU, which has been accused of involvement in attempts to meddle in U.S. elections in 2016 and 2020, the hack in 2015 of the German Bundestag, attacks on Ukraine's power grid, and many others.
U.S. President Joe Biden raised cybersecurity during his June summit with Russian President Vladimir Putin. He said he told Putin that certain types of critical infrastructure should be off limits to cyberattacks.
Biden said he and Putin agreed to further discussions on those types of attacks and on the pursuit of Russian-based criminals carrying out ransomware attacks.
Prior to the ransomware attack on meatpacker JBS, a similar attack on Colonial Pipeline, one of the largest pipeline operators in the United States, forced the shutdown of fuel supplies to much of the East Coast for nearly a week.
The U.S. Justice Department later said it had recovered most of the bitcoin ransom paid to the suspected Russian-based DarkSide cybercriminal group behind the attack on Colonial Pipeline.
