Not many people outside the IT world, more specifically, the part involved in the “plumbing” or management of how IT infrastructure is run, would have heard of Kaseya until today.
Yet, the United States-based company that helps companies remotely monitor and manage their IT infrastructure is now in the headlines because it has become a victim of the single largest global ransomware attack.
Only 50 to 60 of Kaseya’s 37,000 customers were compromised over the weekend, reportedly by a Russian-based hacker group, but most of these customers used Kaseya’s software to in turn manage the IT infrastructure of thousands of other businesses.
These ranged from Swedish grocery chain Coop which had its cash register software crippled to small businesses like dental practices and architecture firms, Kaseya said on Sunday.
What’s worrying is that this is yet another devastating supply chain attack. In other words, hackers have found a way to compromise the companies that help manage the IT infrastructure of hundreds or thousands of other companies.
This gives them access to a larger group of victims. The notorious REvil gang is now said to be asking for a ransom of US$70 million to decrypt the data it has locked up through the attack on Kaseya.
If you find that this is deja vu, you’d have remembered one of the biggest attacks last year on another US company, SolarWinds, which helps thousands of organisations manage and monitor corporate networks.
Said to be the work of Russian hackers as well, that attack was used to get into other IT firms such as Microsoft, Intel and Cisco, as well as a dozen US government agencies, such as the Treasury and even the Department of Homeland Security.
That attack was sophisticated, just like the current Kaseya one, because it had to get past some tough defences that well-regarded suppliers would be expected to mount.
But once in, the attackers could not only gain access to the initial victim’s systems, but potentially do a lot more damage to their customers. They could, for example, send out fake updates to other victims that silently open up their computers to infection.
Now, these updates are usually digitally “signed” to make sure they are authentic when businesses receive them. However, hackers have managed to swap in malicious code into the real one when an update is still being worked on so that it gets delivered with the malware inside.
This is somewhat like sneaking into a factory and adding a bug into a PC or phone. On the outside, everything is sealed and looks fine, but inside it has been “contaminated”.
In the past, there have been reports of intelligence agencies hijacking shipments of network hardware and implanting chips to track their location and to insert malware.
Today, with everything controlled and run by software, there is no need to resort to such physical efforts. Instead, hackers just have to target companies that supply the software to manage all the hardware, from servers to network routers.
The saying that “software is eating the world” may also be applied to how the world’s infrastructure is increasingly run by software.
This includes public cloud services from the likes of Google, Amazon and Microsoft as well as private corporate network gear and data traffic now managed with Software Defined Networking (SDN).
The reason is because today’s infrastructure is too complex to manage manually or by flipping a hardware switch. Imagine having to head down to each and every branch of a retailer or every lecture hall in a university to update the Wi-Fi routers.
Why not just push the update through a central management console? A “single pane of glass” is what the industry calls this, to control or orchestrate multiple sites or businesses through software. To do so, however, means to keep everything always connected.
This means the management software and its supplier are attractive targets. An exposed supplier – and there are only a handful like SolarWinds and Kaseya – will expose a lot more victims.
The SolarWinds attack, for example, even resulted in much-respected cybersecurity firm FireEye being breached. It was in investigating its own breach, which resulted in the theft of hacking tools used to test client networks, that it uncovered the Solarwinds attack.
This is not to say that businesses should start unplugging their systems and go back to an unconnected world. There is no way things are returning to the old days, as every transaction becomes digital in the years ahead.
What this means is that much more of the responsibility will fall on the shoulders of key suppliers of infrastructure management systems. They are already hardened targets – more shielded than individual businesses running their own systems – but clearly, more needs to be done.
The Linux Foundation, for example, has suggested more scrutiny into the software creation and update process. An independent audit of the components involved could help enhance security.
The criminal gangs involved also have to be tackled, either through political means as the US government has threatened or through takedowns of the hackers’ own well-built infrastructure and supply chain on the Dark Web.
Yes, hacker groups don’t work alone today. Instead, many often find affiliates to craft various parts of an attack, from testing the defences of a target to extracting the data and sending a ransom note.
Unfortunately, given how divided the world is today, it won’t be easy for governments, say from the US, Russia and China to cooperate to get the scourge of cyberattacks off businesses any time soon.
Just as they have to plan for a catastrophic event that would upend their operations, businesses have to manage their risks and be ready to recover from a costly attack.
As the saying goes, it’s not whether you will get attacked but how you prepare and respond to it. The risks, to be sure, are growing in a software-controlled, interconnected world.
