July 2nd, 2021, was the start of a difficult period for IT management software firm, Kaseya. The company suffered a devastating ransomware attack, creating disruption and outages across its infrastructure. On top of this, not only had Kaseya’s own systems been impacted, but thousands of customers had also been too.
Reports indicate that the attack impacted over 50 managed service providers (“MSP”) and 1,500 small businesses. (These companies either use Kaseya’s software directly or are customers of providers who use Kaseya’s software.) The ransomware spread globally, reaching the United States, New Zealand and Sweden.
The businesses impacted by the Kaseya cyber-attack were just as diverse as the geographical reach. They included accountants, dentist offices, kindergartens and supermarket chains. For example, Coop in Sweden had to temporarily close 800 shops as store clerks were unable to open their cash registers due to the ransomware taking hold.
For these businesses and Kaseya, the impact of this downtime will have hurt the bottom line – and could have repercussions for customer relationships and trust.
But this isn’t the first time this kind of attack has happened – and it certainly won’t be the last. You may have heard of the SolarWinds breach. Just like Kaseya, cyber criminals were able to infiltrate SolarWinds’ software, and then use that foothold to get access to customer systems.
Both of these incidents are what are known as supply chain cyber attacks; a growing form of cyber crime that is as lucrative as it is damaging. Below, we explore what these kinds of attacks are in more detail. We’ll also further investigate what exactly happened in the case of Kaseya, and the lessons all businesses should take away from the security incident.
What’s a supply chain cyber attack?
No business is an island. Most companies rely on suppliers and partners in some capacity. This could be a payroll software provider or an outsourced customer relationship management system. This digital web between organisations creates a supply chain. Because the supply chain is based in the digital realm, it is vulnerable to cyber security threats, such as exposure, vulnerabilities and malware.
In a typical cyber attack, cyber criminals target one company. They find a way to break into their network or systems, and will then look to steal sensitive data, or perhaps deploy ransomware in order to make a profit.
Sometimes, though, target organisations have strong defences that make them hard to get into. Their suppliers might have a soft underbelly, though, meaning they can be targeted to later get access to the real target. Likewise, breaching one organisation can give access to a multitude of other organisations, such as has happened with Kaseya and SolarWinds.
Kaseya ransomware attack: the details
In a statement, the FBI called the incident a “supply chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple MSPs and their customers.”
VSA is Kaseya’s Virtual System Administrator software. It’s a remote monitoring tool used to manage customer networks, endpoints and devices. In this incident, the cybercriminal group, REvil, managed to exploit a vulnerability in the VSA servers and pushed out a malicious update, containing ransomware, to Kaseya’s MSP customers. From there, the update impacted thousands more customers in a domino-style effect.
Following the attack, REvil announced it would unlock the impacted systems for $70 million in bitcoin cryptocurrency. In the days after, as outages and disruption continued, Kaseya’s CEO, Fred Voccola, appeared to be debating whether Kaseya would pay the ransom and negotiate with the hackers.
Then, on July 12th, Kaseya was able to release a patch for the impacted systems and worked directly with its customers to get them back up and running. According to the company, 100% of its customers had returned to business as usual on the same day.
The exact impact of the ten days of outages and disruption is unlikely to be announced, as the attack’s scope was so broad. However, it’s clear that the interruption to business services was damaging for thousands of companies across the globe.
A wake-up call for supply chain security
This incident serves as a stark reminder of the need for more robust supply chain security. It’s clear that organised cyber criminals are becoming more sophisticated in their approach. They are looking to have as big an impact as possible and make the most money. Supply chain attacks are an excellent way for them to do this.
To defend against these kinds of attacks, organisations must come up with a proactive strategy for supply chain cyber security assurance. To help companies do this, we recently published a comprehensive guide to supply chain cyber security, exploring how to select trusted suppliers, best practices for supply chain security and recommendations for a supplier assurance process. You can read the full guide here.
As well as being a supply chain attack, this incident was also a ransomware attack. REvil offered to release the systems it held hostage for millions of bitcoins. In the fight against ransomware, backups and incident response planning are must-haves in an organisation’s arsenal. Having backups reduces the pressure on companies to pay ransoms for any encrypted files or systems.
Furthermore, a solid incident response plan helps businesses to proactively manage a cyber security incident, without panic or disarray. By planning for the worst-case scenario, and designating people’s roles and responsibilities, organisations can minimise the damage caused by a data breach or attack.
In the case of Kaseya, the company’s transparency and quick response to the attack indicated a well-thought-out and structured incident response plan. While the disruption from this attack was widespread, it could no doubt have been worse had Kaseya not moved to counter it so quickly.
If you need help or advice on how to manage your business’ cyber security, we’re here to help. We can advise on your security vulnerabilities, select the right security technology and check your systems are configured correctly. We can also put policies in place and run staff training exercises. Contact us for a friendly chat or learn more about the supply chain security services we offer.