Given that the attack hit just before a holiday weekend, the full extent of the damage may not be known until this week. Here’s what we know so far.
Kaseya provides technology that helps other companies manage their information technology — essentially, the digital backbone of their operations. In many cases, Kaseya sells its technology to third-party service providers, which manage IT for other companies, often small- and medium-sized businesses. In short, by targeting Kaseya’s software, attackers had easier access to a range of different companies’ networks.
Over the weekend, experts said the attack had already knocked out at least a dozen IT support firms that rely on Kaseya’s remote management tool. The incident not only affects Kaseya’s IT management customers, but also those companies’ corporate clients that have outsourced IT management to them.
“We’re not looking at massive critical infrastructure,” he told Reuters. “That’s not our business. We’re not running AT&T’s network or Verizon’s 911 system. Nothing like that.”
Who was behind it?
REvil is the criminal hacking gang whose malware was behind the Kaseya attack, cyber researchers have said.
The group, which is believed to operate out of Eastern Europe or Russia, is one of the most infamous “ransomware-as-a-service” providers, meaning it supplies tools for others to carry out ransomware attacks and takes a cut of the profits. It also executes some of its own attacks.
About the timing…
It’s not surprising that the attack hit just ahead of a major holiday weekend. Experts say holidays and long weekends are the best times for hackers to execute ransomware attacks because it gives them more time to encrypt files and devices before anyone has a chance to notice and respond.
Executing the attack on Fourth of July weekend, in particular, may have also been intentional, according to DiMaggio.
After US officials took out DarkSide following the Colonial Pipeline attack and reclaimed some of the ransom it had received, REvil took to online hacking forums to say that ransomware groups would not be deterred by the United States, DiMaggio said.
“They’ve always seemed anti-US but especially since the DarkSide takedown, and now we’re seeing this massive attack against our infrastructure on Independence Day weekend,” he said. “I think it’s sending a very strong message.”
How has the White House responded?
The White House has urged companies who believe their systems were compromised by the attack to immediately report it to the Internet Crime Complaint Center.
“Since Friday, the United States Government has been working across the interagency to assess the Kaseya ransomware incident and assist in the response,” said Anne Neuberger, deputy national security advisor for cyber and emerging technology, on Sunday. “The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have been working with Kaseya and coordinating to conduct outreach to impacted victims.”
President Joe Biden also said in a press briefing over the weekend that, while officials are still investigating the source of the attack, the United States could retaliate if the Russian government is involved.
“If it is either with the knowledge of and/or the consequence of Russia, then I told Putin we will respond,” Biden said Saturday, referring to his meeting with the Russian leader last month. “We’re not certain. The initial thinking it was not the Russian government but we’re not sure yet.”
What should we learn?
The attack on Kaseya points to a popular target for ransomware attackers: Managed Service Providers. MSPs such as Kaseya’s customers allow companies to outsource certain software and services, such as IT management, to third parties, which can help avoid the cost of having to employ such experts in-house.
While attacks on these kinds of providers are not new, MSPs represent a big opportunity for hackers because of the way they interact with other companies’ networks, DiMaggio said. In many cases, there are no technical checks on software updates coming from these providers because they are considered “trusted” partners, potentially leaving customers vulnerable to bad actors that could embed ransomware payloads into those updates.
“There’s going to have to be more checks and balances for any third-party vendor,” he said.