A Russia-linked hacking group has compromised roughly 200 businesses in a large-scale ransomware attack that is ongoing, according to the cybersecurity firm Huntress Labs Inc.
The hackers targeted managed service providers, which often give IT support to small- to medium-size businesses, according to Huntress Labs. By targeting a managed service provider, hackers may then be able to access and infiltrate its customers’ computer networks too.
“From what we know now, we have eight MSP partners that are affected,” said John Hammond, a cybersecurity researcher at Huntress Labs. “Those MSPs customers add up to at least 200 businesses that are encrypted and ransomed as a result of their MSP being compromised.”
He didn’t identify the managed service providers that were attacked.
Hammond said he expects the number of victims to “significantly rise” as more compromised managed service providers are discovered. The names of the MSP customers who were attacked aren’t yet known.
“This is one of the most broadly impactful, non-nation state executed, attacks we have ever seen and it appears purely designed to extract money,” said Andrew Howard, chief executive officer of Switzerland-based Kudelski Security, a provider of managed cybersecurity services. “It is difficult to image a better way for an attacker to distribute malware than through trusted IT providers.”
The attacks come a few weeks after a summit between President Joe Biden and Russian President Vladimir Putin in which Biden warned that 16 kinds of critical infrastructure were off limits for cyberattacks. Russian state-sponsored hackers were blamed for attacks against nine U.S. government agencies and about 100 businesses, which was disclosed in December and involved, in part, malicious updates in software from Texas-based SolarWinds Corp.
More recently, a ransomware attack on Colonial Pipeline Co., which squeezed gasoline supplies along the East Coast, was blamed on a Russian-linked criminal gang called DarkSide.
Cybersecurity researchers have pointed to Kaseya, which develops software used by managed service providers, as the potential root cause of hack. Kaseya on Friday advised its customers to shut down its Virtual System Administrator software due to a potential attack.
“We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us,” Kaseya said in a statement.
The Cybersecurity and Infrastructure Security Agency acknowledged the hacks in a brief statement.
“CISA is taking action to understand and address the recent supply-chain ransomware attack against Kaseya VSA and the multiple managed service providers (MSPs) that employ VSA software,” the agency said.
The hacking group behind the attack is known as “REvil,” according to Allan Liska, a senior threat analyst at cybersecurity firm Recorded Future Inc. Liska said this is the third time REvil has targeted Kaseya to conduct ransomware attacks. A representative for Kaseya wasn’t immediately available for comment.
REvil was also behind the ransomware attack on meat supplier JBS SA in May. The company said it ultimately paid $11 million in ransom.
Jason Ingalls, founder of the breach response company Ingalls Information Security, said attacks such as the MSP attack announced Friday are becoming more common.
“Hackers are infiltrating the most trusted source of software or security in a huge supply chain, and then compromising all of their clients,” he said. “This is the same attack method used in the SolarWinds hack, but now it’s being used by criminals to leverage their access to one victim to ransom many more.”
© Copyright 2022 Bloomberg News. All rights reserved.