A U.S. software company says it is investigating a potential cyberattack that a cybersecurity expert said is a ransomware attack similar to a previous attack attributed to Russian hackers.
The company, Kaseya, in a statement on July 2 urged customers to immediately shut down servers running the affected software and confirmed that it had shut down some of its servers.
Kaseya said the attack was limited to a “small number” of its customers and said it is working closely with a few security firms that notified it of the issue.
A cybersecurity researcher with security firm Huntress Labs said Huntress is one of those companies, adding that the criminals used Kaseya’s network management package as a conduit to spread ransomware through cloud service providers.
The attack has paralyzed the networks of at least 200 U.S. companies that use Kaseya’s software, according to the researcher, John Hammond.
Hammond told the Associated Press that REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack.
“Based on everything we are seeing right now, we strongly believe this (is) REvil/Sodinikibi,” Hammond is quoted as saying.
The FBI linked REvil to a ransomware attack in May on JBS, a major global meat processer. Ransomware attacks render their victims’ data unusable by encrypting it until the victims pay off attackers.
The Cybersecurity and Infrastructure Security Agency (CISA) is closely monitoring this situation and is working with the FBI to gather information about the impact the incident, the agency said in an e-mail to RFE/RL.
“We encourage all who might be affected to employ the recommended mitigations and for users to follow Kaseya’s guidance to shut down VSA servers immediately,” said Eric Goldstein, executive assistant director for cybersecurity at the Department of Homeland Security.
VSA is the company’s flagship offering and is designed to let companies manage networks of computers and printers from a single point.
CISA and the U.S. National Security Agency (NSA), however, posted an advisory on July 1 detailing how U.S. and British security agencies have exposed “brute force” methods they say have been used by the Russian military-intelligence agency known as the GRU to conduct malicious cyberactivities against hundreds of government and private organizations.
The advisory described cyberattacks carried out by operatives of the GRU, which has been accused of involvement in attempts to disrupt U.S. presidential elections in 2016 and 2020, the hack in 2015 of the German Bundestag, and attacks on Ukraine’s power grid, and many others.
“The advisory warns system administrators that exploitation is almost certainly ongoing. Targets have been global, but primarily focused on the United States and Europe,” CISA said.
U.S. President Joe Biden raised cybersecurity during his summit last month with Russian President Vladimir Putin. He said he told Putin that certain types of critical infrastructure should be off limits to cyberattacks.
Biden said he and Putin agreed to further discussions on those types of attacks and on the pursuit of criminals carrying out ransomware attacks.
Prior to the ransomware attack on JBS, a similar attack on Colonial Pipeline, one of the largest pipeline operators in the United States, forced the shutdown of fuel supplies to much of the East Coast for nearly a week.
The U.S. Justice Department later said it had recovered most of the bitcoin ransom paid to the suspected Russia-based Darkside cybercriminal group behind the attack on Colonial Pipeline.