On July 3 the Russian hacking group REvil infiltrated tools distributed by a security and monitoring firm – Kaseya, this time – and slipped ransomware into thousands of business networks.
Today REvil has disappeared, a curious twist in the story of the Kaseya hack – and it was already pretty curious.
Yes, it’s another scary security story. There’s bad news and good news.
The bad news is that the flood of scary security stories reflects something deeply unsettling about the world: the pace of attacks is increasing and we’re all more at risk than ever.
The good news is that REvil’s disappearance might – might – mean that the good guys are making a tiny bit of progress on defense.
Let me give you the story in a few words.
The REvil hackers are well known. Cybersecurity experts recognize their work. The Solarwinds attack last year was a stealth operation done by a different group at the direction of the Russian government. The Kaseya hack looks like it was done by criminals looking for money, nothing more. REvil is not controlled directly by Putin, as far as we know, although it almost certainly operates with his blessing.
There’s a pattern to ransomware attacks these days: when a business network is breached, hackers typically gain access quietly and download as much corporate data as possible before scrambling files and demanding a ransom payment. That lets them threaten to release the private corporate files if the ransom isn’t paid.
The Kaseya hackers didn’t do that. They got access to business networks and launched a program to scramble the files lickety split without taking time to install backdoors or download data.
That’s why there’s a disconnect in the news: the Kaseya attack arguably hit more businesses than any other ransomware attack in history but there aren’t very many stories in the news about businesses suffering from it. The reason, according to Steve Gibson on Security Now, is that the businesses are mostly able to restore from backups instead of paying the ransom. The hackers don’t have any leverage to convince them otherwise. Restoring from backups is a huge PITA but cheaper than paying a few million dollars.
The attack wasn’t as bad as it could have been
Kaseya supplies monitoring and security tools to thousands of managed service providers (MSPs), who in turn use those tools to support hundreds of thousands of businesses large and small. The hackers only hit a very small number of those customers.
One of the services is named Kaseya VSA, which does (complicated network mumbo-jumbo). The hack only affected Kaseya VSA, not any of Kaseya’s myriad other tools. Kaseya VSA comes in two flavors, either hosted online by Kaseya or self-hosted directly by MSP’s on their own servers. Only the self-hosted Kaseya VSA servers were hacked. And most of all, an analysis of the malware used by the hackers shows that it relied on knowledge of some random-generated IDs that are difficult to come by. Since the bad guys didn’t have all the necessary ID codes, fewer than 60 of the 35,000 Kaseya VSA customers were hacked, according to a research report today.
All or most of the 60 hacked Kaseya VSA customers were MSPs running the Kaseya VSA agents on their clients’ networks, so an estimated 1500 businesses wound up with scrambled files and ransomware demands. That’s not good, but it could have been worse.
So if you or your IT support firm rely on Kaseya, there’s still a very, very good chance that you were not hacked.
How much should we blame Kaseya?
An important rule of thumb: when bad guys do nasty stuff, blame the bad guys. This hack was done by Russian gangsters and they’re the ones we should hogtie and bring to the US and force to endure an endless, nonstop, soul-destroying series of depositions by lawyers for the hacked businesses. I’ve checked and that is not technically considered to be torture, but that’s one of the visions of Hell that I fear the most. (In an even more scary vision of Hell, I’m the lawyer taking depositions for eternity, but that doesn’t apply here.)
There are a couple of things that don’t reflect well on Kaseya, though. This will hurt its reputation, much as the Solarwinds hack permanently tarnished that company.
Five anonymous former Kaseya employees say they warned the company in 2019 about wide-ranging security problems. Bloomberg reports: “One of the former employees said that in early 2019 he sent company leaders a 40-page memo detailing security concerns and was fired about two weeks later, which he believed was related to his repeated efforts to flag the problems.”
So that’s not good.
The Dutch Institute for Vulnerability Disclosure discovered seven vulnerabilities in Kaseya VSA and warned Kaseya about them in April. Kaseya had not fixed them almost three months later. One of them was used by REvil in this month’s hack.
Definitely an oopsie.
Kaseya started laying people off in the US in 2018 and moving jobs to Belarus, where local leaders are buddy-buddy with the Russian government. Maybe it’s a coincidence that Solarwinds had also outsourced jobs to Belarus, Poland, and the Czech Republic. It might not mean anything – there are fine engineers in eastern Europe, they work cheap, it’s a big global economy. But wow, it’s a bad look after an event like this.
The important thing is that the Kaseya and Solarwinds hacks have sent a very clear message to everyone involved in network security that they must step up their game. Security is now numbers one through ten on the list of Top Ten Goals For Company Networks, almost regardless of cost or inconvenience. Today Microsoft CEO Satya Nadella described the recent flood of cyberattacks as another pandemic.
Where is the REvil gang?
The Kaseya ransomware attack was launched on Friday afternoon as businesses began closing up for the July 4 holiday (not by accident).
Two days ago, all of REvil’s websites on the Internet and the dark web disappeared. The blog where the group bragged about its ransomware earnings – gone. The sites where hacking victims negotiated over the ransom payments to get their data unlocked – gone. The infrastructure for making bitcoin payments and getting decryption tools – offline.
As I write this the next day, there’s no explanation for why REvil suddenly went dark. There are three possibilities:
1) In mid-June, Joe Biden delivered an ultimatum to Vladimir Putin in a phone call, pressing Putin to take action against cyber-attackers based in Russia. Putin might have told REvil to shut down to placate the US, or perhaps to burnish Russia’s image at meetings of a US-Russia working group on global cybersecurity which will convene in a few days.
2) Biden also warned Putin that the US would take unilateral action against Russian hackers if Putin did not do it for us. The United States Cyber Command may have shut down REvil’s sites. They’ve done it before to other hacking groups.
3) REvil may have shut itself down to avoid the heat. Darkside, the group behind the attack on Colonial Pipeline in May, took itself offline after its attack proved to be too successful, generating intense anger and putting them in the crosshairs of our biggest security guns. REvil may have gotten skittish as they watched Biden and Putin squaring off.
REvil could reappear under any of those scenarios, perhaps under a different name. New York Times cybersecurity expert David Sanger writes that “many experts think that DarkSide’s going-out-of-business move was nothing but digital theater, and that all of the group’s key ransomware talent will reassemble under a different name. If so, the same could happen with REvil, which Recorded Future, a Massachusetts cybersecurity firm, estimates has been responsible for roughly a quarter of all the sophisticated ransomware attacks on Western targets.”
Even if these defensive measures are only temporary, they are still at least partially effective, which is far better than nothing. In the next few weeks, the Biden administration will announce a number of initiatives that elevate ransomware attacks to the level of major national security threats. On a governmental level, that may lead to sanctions, targeted responses, or political pressure on Russia, China, Korea and other state actors. The administration will also announce incentives for companies and local governments to improve their defenses.
There have been other signs of progress. The US Cyber Command conducted more than two dozen operations before the 2020 election to head off election meddling. Microsoft has been an effective leader in several international security actions, including a massive operation in October 2020 against a global botnet and ransomware group. Microsoft spearheaded an unprecedented response to the Solarwinds hack in December 2020.
Maybe slowly, ever so slowly, we will become more secure and these threats will be less likely. In the meantime, be careful out there!
