The frenzy of a cybercriminal gang over the weekend of July 4 ended up infecting more than 1,500 organizations worldwide with ransomware, according to cybersecurity firm Huntress. But it’s not the number of victims that keeps experts from sleeping at night.
The gang used a level of planning and sophistication closer to high-level, government-backed hackers, rather than a simple criminal operation, they say.
The hackers behind the madness, the Russian-speaking ransomware gang REvil, have adopted two new tactics previously not used by ransomware gangs that continually hack targets around the world, but particularly in the United States. Most concerning is that they even deployed a zero day, a cybersecurity term for a vulnerability in a program that software developers are unaware of and therefore have not had time to fix.
And they didn’t target a single victim, but rather a company with a small but key role in the internet ecosystem. This gave them access to potentially tens or hundreds of thousands of victims.
“What we are seeing here are the tactics of more sophisticated adversaries, like nation states, that trickle down to these less sophisticated and more financially motivated criminal ransomware groups,” said Jack Cable, researcher at the Krebs Stamos Group. , a cybersecurity consulting firm. .
REvil, possibly best known for hacking JBS, one of the world’s largest international meat vendors, has been active since at least early 2019. Like a number of other Russian-speaking ransomware gangs, REvil has made its fortune in recent years. by hacking into individual organizations. , locking down their computers, stealing their files, and demanding payment to fix things and not disclose what they stole.
REvil has previously tried to deploy its ransomware through a so-called supply chain attack, which exploits the way internet services are interconnected. In 2019, the group succeeded pirate TSM Consulting Services, a small managed service provider in Texas that manages web services for organizations that don’t want to do it themselves. Soon 22 of the company’s customers, all from cities in Texas, were infected with the REvil ransomware. The state and federal government jumped at the deal, however, and cities were finally able to get back online without paying the ransom.
Over the weekend, however, REvil took this kind of supply chain hacking to the next level. Instead of hacking a single organization, or even a single managed service provider, they hacked into Kaseya, a company that specializes in managing software updates for hundreds of different vendors. This gave them access to a significant body of victims, potentially larger than any known criminal hack in history, according to three cybersecurity experts who spoke to NBC News.
So far, it appears that REvil has not had a major impact on American life, although it has crippled several small American businesses, caused a large Swedish grocery store to close for more than 24 hours and infected 11 schools in New Zealand. But that could be a dodged bullet, as cybersecurity experts find supply chain hacks particularly worrisome, as they can quickly give hackers incredibly wide access.
The United States discovered in late 2020 that Russian intelligence agency SVR had hacked into U.S. company SolarWinds, potentially exposing some 18,000 client organizations to elite hackers from a foreign intelligence agency. It was quickly seen as one of the biggest supply chain hacks in history. Even after it became clear that the number of confirmed casualties was likely much lower, the Biden administration berated Russia for the scale of the operation.
While the potential reach of the SolarWinds hack was enormous, there is no evidence that Russia used it for anything other than conventional espionage. The fact that REvil doesn’t appear to be directly driven by a government chain of command means its supply chain attacks could be even more dangerous, Cable said.
“The difference here is that REvil is financially motivated. They are criminals, so in many ways they have fewer limits,” he said. “Ransomware groups don’t follow the same rules, and in some ways we could see this has a bigger impact.”
It is also extremely worrying that REvil was able to deploy a zero-day vulnerability to hack Kaseya, said Brett Callow, analyst at cybersecurity firm Emsisoft. While there is no solid evidence as to how the gang acquired it – whether they discovered it, stole it from researchers, or bought it from a broker – it does show that the gang has the ability and intend to acquire and deploy elite tools to orchestrate huge hacking campaigns.
“The Kaseya incident is truly a landmark event. It shows that cybercriminals are capable of acquiring and using zero-day vulnerabilities and using them to cause disruption on an absolutely massive scale,” he said. he declares.
“Because companies keep paying millions of dollars in ransoms, so we have cybercriminals who are more determined and better endowed than ever before,” he said. “It creates predators at the top.”