A cybercriminal gang’s spree over the Fourth of July weekend ended up infecting more than 1,500 organizations around the world with ransomware, according to the cybersecurity company Huntress. But it’s not the number of victims that’s keeping experts up at night.
The gang used a level of planning and sophistication closer to high-level, government-backed hackers, rather than a mere criminal operation, they say.
The hackers behind the spree, the Russian-speaking ransomware gang REvil, adopted two new tactics previously not used by the ransomware gangs that continually hack targets around the world, but particularly in the U.S. Most concerning is that they even deployed a zero-day, a cybersecurity term for a vulnerability in a program that software developers aren’t aware of and thus haven’t had time to fix.
And they didn’t target a single victim, but rather a company with a small but key role in the internet ecosystem. This gave them access to potentially tens or hundreds of thousands of victims.
“What we’re seeing here is the tactics of more sophisticated adversaries, like nation-states, trickling down toward these less sophisticated, more financially motivated criminal ransomware groups,” said Jack Cable, a researcher at the Krebs Stamos Group, a cybersecurity consultancy.
REvil, likely best known for hacking JBS, one of the world’s largest international meat suppliers, has been active since at least early 2019. Like a number of other Russian-speaking ransomware gangs, REvil has made a fortune in recent years by hacking individual organizations, locking their computers, stealing their files and demanding a payment to fix things and not leak what they stole.
REvil has previously dabbled in deploying its ransomware through a so-called supply chain attack, which exploits how interconnected internet services are. In 2019, the group successfully hacked TSM Consulting Services, a small Texas managed services provider, which handles web services for organizations that don’t want to do it themselves. Soon 22 of the company’s clients, all Texas towns, were infected with REvil’s ransomware. The state and federal government jumped on the case, however, and the towns were eventually able to get back online without paying the ransom.
Over the weekend, however, REvil took that kind of supply chain hack to the next level. Instead of hacking a single organization, or even a single managed service provider, they hacked Kaseya, a company that specialises in handling software updates for hundreds of different providers. That gave them access to a sizable set of victims, potentially broader than any known criminal hack in history, according to three cybersecurity experts who spoke with NBC News.
So far, it appears that REvil didn’t have any major impact on American life, though it did cripple several smaller American businesses, caused a major Swedish grocery store to shut down for more than 24 hours and infected 11 schools in New Zealand. But that might be a dodged bullet because cybersecurity experts find supply chain hacks especially worrisome, as they can quickly give hackers incredibly broad access.
The U.S. discovered late in 2020 that Russia’s SVR intelligence agency had hacked the U.S. company SolarWinds, potentially exposing some 18,000 customer organizations to a foreign intelligence agency’s elite hackers. That was quickly deemed one of the largest supply chain hacks in history. Even after it became clear that the number of confirmed victims was likely much lower, the Biden administration rebuked Russia for the operation’s scale.
While the potential scope of the SolarWinds hack was enormous, there’s no evidence that Russia used it for anything other than conventional espionage. The fact that REvil doesn’t seem to directly be motivated by a government chain of command means its supply chain attacks could be even more dangerous, Cable said.
“The difference here is REvil is financially motivated. They’re criminals, so in many ways they have fewer boundaries,” he said. “Ransomware groups don’t abide by the same rules, and in some ways we could see it have a larger impact.”
It’s also extremely worrying that REvil was able to deploy a zero-day vulnerability to hack Kaseya, said Brett Callow, an analyst at the cybersecurity company Emsisoft. While there’s no strong evidence for how the gang was able to acquire it — whether the gang discovered it, stole it from researchers or purchased it from a broker — it shows that the gang has the capability and intent to acquire and deploy elite tools to orchestrate enormous hacking campaigns.
“The Kaseya incident really is a landmark event. It shows that cybercriminals are able to acquire and use zero-day vulnerabilities and use them to cause disruption on an absolutely massive scale,” he said.
“Because companies continue to pay millions of dollars in ransoms, so we have cybercriminals who are more determined and better resourced than ever before,” he said. “It’s creating apex predators.”