A cyber attack paralyzed the networks of at least 200 internet providers Americans on Friday, according to a cybersecurity investigator whose company was responding to the incident.
ISPs (Internet Service Providers) are the companies through which users can access the Internet, such as Cablevisión and Telecentro in Argentina.
REvil, a group of Russian-speaking cybercriminals that perpetrated ransomware extortions, appears to be behind the attack, said John Hammond of security firm Huntress Labs. He commented that the criminals attacked a software vendor called Kaseya, using their bundle of network management as a conduit to spread malicious software through cloud service providers.
Other researchers agreed with Hammond’s assessment.
“Kaseya handles from large companies to small companies internationally, so ultimately this has the potential to scale to any size or scale of business, ” Hammond said in a direct message sent by Twitter. “This is a colossal and devastating outsourced attack,” he added.
Such third-party (or supply chain) cyberattacks typically infiltrate widely used software and spread malicious code, or malware, as they are automatically updated.
At the moment it was not clear how many Kaseya clients could be affected or who they could be. Kaseya urged its customers in a statement posted on its website to immediately shut down the servers running the affected software. He noted that the attack was limited to a “small number” of his clients.
Brett Callow, a ransomware expert at cybersecurity firm Emsisoft, said he was not aware of any previous third-party ransomware attacks on this scale. There were others, but smaller, he said.
“This is like the SolarWinds thing with ransomware”, he pointed. He referred to a Russian cyber espionage campaign discovered in December that spread by infecting network management software to infiltrate US federal agencies and dozens of companies.
Cybersecurity researcher Jake Williams, president of Rendition Infosec, said he was already working with six companies affected by ransomware. It is no coincidence that this happened before the July 4 holiday weekend, when IT staff is often scarce, he added.
“I have no doubt that the timing was intentional,” he said.
News in development