Given that the attack took place just before a public holiday weekend, the full extent of the damage may not be known until this week. Here’s what we know so far.
Kaseya provides technology that helps other businesses manage their information technology – essentially, the digital backbone of their operations. In many cases, Kaseya sells its technology to third-party service providers, who manage IT for other businesses, often small and medium-sized businesses. In short, by targeting Kaseya’s software, attackers gained easier access to a range of different corporate networks.
Over the weekend, experts said the attack had already eliminated at least a dozen IT support companies that rely on Kaseya’s remote management tool. The incident affects not only Kaseya’s IT management customers, but also corporate clients of companies that have outsourced IT management to them.
“We are not envisioning massive critical infrastructure,” he told Reuters. “It’s none of our business. We don’t operate the AT&T network or the Verizon 911 system. No such thing.”
Who was behind?
REvil is the criminal hacking gang whose malware was behind the Kaseya attack, cyber researchers have said.
The group, which is said to operate in Eastern Europe or Russia, is one of the most infamous ‘ransomware-as-a-service’ providers, which means it provides tools for others to carry out ransomware attacks and take a share of the profits. He also performs some of his own attacks.
About the moment …
It’s no surprise that the attack took place just before a major holiday weekend. Experts say vacations and long weekends are the best times for hackers to execute ransomware attacks, as it gives them more time to encrypt files and devices before anyone has a chance to. notice and respond.
The execution of the July 4 weekend attack, in particular, could also have been intentional, according to DiMaggio.
After U.S. officials took out DarkSide in the aftermath of the colonial pipeline attack and recovered some of the ransom it received, REvil took to online hacking forums to claim that the ransomware groups would not be deterred by the United States, DiMaggio said.
“They’ve always seemed anti-American, but especially since DarkSide pulled out, and now we’re seeing this massive attack on our infrastructure over Independence Day weekend,” he said. “I think that sends a very strong message.”
How did the White House react?
The White House has urged companies who believe their systems have been compromised by the attack to immediately report it to the Internet Crime Complaint Center.
“As of Friday, the United States government has been working across the agency to assess the Kaseya ransomware incident and help with the response,” Anne Neuberger, deputy national security adviser for cyber technologies, said on Sunday. and emerging. “The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have worked with Kaseya and coordinated to conduct outreach to affected victims. “
President Joe Biden also told a press briefing this weekend that, while officials still investigate the source of the attack, the United States could retaliate if the Russian government is involved.
“If it’s knowingly and / or as a consequence of Russia, then I told Putin that we will respond,” Biden said on Saturday, referring to his meeting with the Russian leader last month. “We are not sure. The initial thought was not the Russian government but we are not sure yet.”
What do we need to learn?
The attack on Kaseya points to a popular target for ransomware attackers: managed service providers. MSPs such as Kaseya’s clients allow companies to outsource certain software and services, such as IT management, to third parties, which can help avoid the cost of having to employ such experts in-house.
While attacks against these types of vendors are not new, MSPs represent a great opportunity for hackers because of the way they interact with other companies’ networks, DiMaggio said. In many cases, there are no technical controls on software updates from these vendors, as they are considered “trusted” partners, potentially leaving customers vulnerable to bad actors who could embed loads. useful ransomware in these updates.
“There are going to have to be more checks and balances for any third-party vendor,” he said.