So far, IT experts in particular have probably heard of a company called Kaseya. The Miami, Florida company, worth a good two billion dollars, works in the background. In the best case scenario, users hardly notice that Kaseya or a partner company is managing their company’s IT. That is now changing suddenly: Hackers have succeeded in infiltrating a number of Kaseya’s partner companies and compromising parts of their software. This encrypts data on the systems of those affected, and the blackmailers demand ransom in crypto currency in messages on the screen – a total of billions. This blackmail attack is one of the largest to date, and thousands of German companies are also at risk, warns the Federal Office for Information Security (BSI).
The US government is alarmed and has called on the secret services to conduct an intensive investigation. This could also lead to political tremors, because the possible originator of the attack is a hacker group called REvil from Russia. US President Joe Biden initially avoided blaming, but that could change quickly if the services find solid evidence or at least strong evidence that Russian state hackers were actually behind the attack. “The first impression was that the Russian government was not behind it – but we are not sure yet,” said Biden. After previous attacks, which, according to US findings, had been carried out by Russian hackers, Biden had already accused his Russian counterpart, Vladimir Putin, of simply letting criminal hackers in his country have their way.
What exactly happened? The attackers manipulated software at IT service providers that is actually supposed to make systems more secure. Because small and medium-sized companies do not have enough staff and skills to maintain their IT themselves and protect it from attacks, they employ service providers, called Managed Service Providers (MSP) in jargon. These take over, for example, installing software updates. They used Kaseya’s VSA software for this.
In order for this to work, these service providers must have a high level of authorization on their customers’ systems. The attackers took advantage of this. By using the update function of the management software as a Trojan horse, they were able to get into the customers’ IT systems and paralyze them. In Sweden, for example, a supermarket chain had to close almost all of its more than 800 branches because the cash registers no longer worked.
Those affected have a difficult choice: pay or set up a new system
Instead of attacking each of the companies individually, for which one can use technical security gaps and human weaknesses, they achieved a multiplier effect. It is still unclear how high the number of companies affected is. While Kaseya spoke of 40 affected customers, the US security company Huntress Labs, to which attacked companies reported, put the number of victims at more than a thousand, and the number could even rise.
Those affected are now faced with a difficult choice: Either they pay the ransom and thus have a chance that their systems will be up and running again soon, and with it their business. Or they refuse and are then forced to set everything up again. This can take time and is expensive, which is why many companies grind their teeth. The security authorities do not like to see this, because on the one hand it is not certain whether the unlocking of the systems will really work. On the other hand, there is no one hundred percent security as to whether the attackers have smuggled in additional malware that, for example, steals data.
A digital supermarket from Tegut in Munich: The grocery chain had also caught it once.
(Photo: Florian Peljak)
But because more and more companies are paying, the hacker groups are doing business with so-called ransomware, the ransomware. They have long been organized according to divisions. While some take care of how to break into computer systems, others take over the negotiations with those affected, and there are also specialists for unlocking afterwards. It’s like squeezing protection money, only without gorillas, without creaking – and without protection. Nobody can guarantee that you will not be attacked by another gang.
Ransomware attacks have increased more and more in the past few years, and not just in the US. In this country, too, the food chain Tegut, the Funke media group and the media company Madsack have already been hit this year. An attack on a Ukrainian provider of accounting software and an attack on the US software provider SolarWinds also caused a sensation. The customers of both software companies received the ransomware via the update function.
Experts are concerned that the security situation is tense
The increasing number of such attacks is also alarming the Federation of German Industries (BDI). The calls in the World on sunday a national economic protection strategy. The Federal Office for Information Security (BSI) is also concerned. The security situation is tense, especially in the case of ransomware, an “increased activity” is noted.
The impact of the attack could have been even greater, as Kaseya has more than 36,000 customers worldwide. Security experts praised the company for its quick response to the attack. According to previous knowledge, this only affected companies that use the VSA software in their own data centers. Customers who have booked the service via the cloud are said to have been spared.