Hacker attack via IT service providers also affects German companies
Cyber attacks on IT service providers can affect several companies. In the latest blackmail attack, hackers targeted hundreds of companies in one fell swoop.
They used a vulnerability at the American IT service provider Kaseya to attack its customers with a program that encrypts data and demands a ransom. The consequences could be felt as far as Sweden, where the supermarket chain Coop had to close almost all stores. The full extent of the damage initially remained unclear. The IT security company Huntress spoke of more than 1,000 companies in which systems had been encrypted.
An affected IT service provider from Germany also reported to the Federal Office for Information Security (BSI). Its customers have been affected, said a BSI spokesman. There are several thousand computers in several companies. It cannot be ruled out that other companies noticed problems with the start of the working week on Monday.
US President Joe Biden ordered an investigation into the attack by the secret services. “The first impression was that the Russian government was not behind it – but we are not sure yet,” said Biden after questions from reporters on Saturday. IT security experts had assigned the attack based on the software code to the hacker group Revil, which is located in Russia.
A few weeks ago, Revil was behind the attack on the world’s largest meat company, JBS, which had to close plants for several days, including in the USA. At their meeting in Geneva in June, Biden urged Russian President Vladimir Putin not to tolerate any activities by hacker groups and threatened the consequences of further attacks.
Kaseya announced over the weekend that less than 40 customers were affected. However, these also included service providers who in turn have several customers. This created a kind of domino effect. In this way, the Swedish co-op chain was hit across several stages, where the checkout systems no longer worked. Only 5 of the over 800 stores – and the online shop – remained open.
Damage is limited
In any case, the damage could have been far greater: Kaseya has a total of more than 36,000 customers. With the help of the Kaseya program VSA, companies manage software updates in computer systems. An intrusion into the VSA software can open many doors for the attacker at once. Kaseya stopped its cloud service on Friday and warned customers to shut down their locally running VSA systems immediately. According to the company, customers of the cloud service were never in danger – and all the companies affected resorted to local VSA installations.
Kaseya is confident that it has found the vulnerability if it wants to close it soon and restart the systems after a security test, it said. On Saturday, another customer joined the list of victims who had not switched off his locally running VSA system.
Attacks with blackmail software had recently made repeated headlines. Just before the JBS case, an attack of this type halted the operation of one of the largest gasoline pipelines in the United States and temporarily cut fuel supplies in the country. It brings the hackers money: JBS paid the attackers the equivalent of eleven million dollars in crypto currencies, the pipeline operator Colonial 4.4 million dollars. However, a little later, investigators were able to confiscate a good half of the colonial ransom.
It is also the second attack that became known within a few months in which hackers were able to penetrate the systems of its customers via an IT service provider. Using maintenance software from Solarwinds, attackers were believed to have entered the computer networks of US government agencies, including those of the Department of Finance and Energy, for espionage purposes.
Attacks with blackmail Trojans have made headlines several times in the past few years. In May 2017, the blackmail Trojan “Wannacry” paralyzed the computers of many private individuals, including computers in British hospitals and timetable displays for Deutsche Bahn. A few weeks later, the ransom software “Notpetya” hit the Maersk shipping company and the Nivea manufacturer Beiersdorf, among others.
Old Windows systems an easy victim
One of the reasons why these attacks spread so quickly at the time was that computers with older Windows systems and security loopholes that had not been closed were easy targets for them. They were therefore seen as a wake-up call for more IT security. However, there have now been several successful attacks with ransom software.
The industry association BDI wants to better ward off cyber attacks with a “national economic protection strategy” by politics and business. “The German economy has never been attacked as severely as it is today,” BDI security expert Matthias Wachter told Welt am Sonntag. The number of attacks in the corona pandemic increased because companies in the home office are even more vulnerable. The BSI said: “The threat situation is still very tense and has been exacerbated again by the pandemic.”
Mikko Hyppönen from the IT security company F-Secure attributes this, among other things, to the fact that the attack surface is becoming ever larger with digital change in all industries. “We bring everything online.” It will take some time before this general movement on the Internet is adequately secured: “I do not think that we have already seen the worst.”
Raj Samani from the IT security company McAfee also sees the problem in the fact that an entire industry has now formed on the Internet in which attacks with blackmail software are offered to interested parties as a payment service. “They are criminal groups who are out to squeeze out as much ransom as possible.” At the same time, he showed understanding for companies that end up paying the hackers money, contrary to the recommendations of authorities and experts, because they are afraid for their business . dpa
