Updated Jul 3, 2021 - Technology

Russia-based hackers breach more than 1,000 businesses

Computers with ransomware signs

Illustration: Aïda Amer/Axios

A Russia-based hacking group known as REvil has compromised the computer systems of at least 1,000 businesses by targeting managed service providers, according to to the cybersecurity firm Huntress Labs Inc.

Why it matters: It's a large-scale ransomware campaign — the full scope of which is not yet known — and comes on the heels of several other high-profile ransomware attacks this year.

Of note via Bloomberg: "Such attacks can have a multiplying effect, since the hackers may then gain access and infiltrate the MSPs’ customers too."

  • The affected MSPs, platforms that provide IT management and other core network functions for businesses, and companies have not yet been named.

The latest: President Biden said Saturday that the U.S. government is still not certain who is behind the hack, according to Reuters.

  • "The initial thinking was it was not the Russian government but we're not sure yet," Biden said. Biden said he directed U.S. intelligences agencies to investigate.
  • Victims have emerged in 11 countries so far, per cybersecurity firm ESET.
  • Grocery chain Coop’s 800+ stores in Sweden couldn’t open Saturday after the hack led cash registers to malfunction, spokesperson Therese Knapp told Bloomberg.

What they're saying: John Hammond, a cybersecurity researcher at Huntress Labs, said more than 20 MSPs have been impacted. He noted the criminals targeted software supplier Kaseya, using its network-management package to spread the ransomware.

  • “What makes this attack stand out is the trickle-down effect, from the managed service provider to the small business,” Hammond said. “Kaseya handles large enterprise all the way to small businesses globally, so ultimately, it has the potential to spread to any size or scale business.”

Cybersecurity researcher Jake Williams, president of Rendition Infosec, told AP it's no accident that this happened before a holiday weekend, when IT staffing is generally thin.

  • Hackers frequently infiltrate widely used software, then spread malware as the software automatically updates.

The privately held Kaseya is based in Dublin, with a U.S. headquarters in Miami. The Miami Herald reported Kaseya's plans to hire as many as 500 workers by 2022 to staff a recently acquired cybersecurity platform.

The big picture: The breach comes after a summit between President Biden and Russian President Vladimir Putin, during which Biden threatened to use the U.S.' "significant" cyber capabilities to respond if critical infrastructure entities are targeted by Russian hackers.

  • FBI Director Christopher Wray told Congress in June that cyber threats against U.S. businesses are increasing "almost exponentially."

Go deeper: FBI: Russia-linked REvil behind ransomware attack on meatpacker JBS

Editor's note: This story will be updated as new information is released.

Go deeper