The White House and key Federal agencies have been working since July 2 to assist in the response to the Kaseya ransomware attack, as President Biden gets set to meet this week with an interagency group taking a longer look at the ransomware problem.
The FBI and Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) have been helping American software firm Kaseya respond to a wide-ranging supply chain ransomware attack since July 2. Kaseya’s most recent evaluations estimate that between 800 and 1,500 businesses downstream in the supply chain have been affected by the attack.
President Biden announced July 3 that he was directing the “full resources of the government to assist in the response.” While Biden said the government is uncertain of who began the attack, Kaseya has acknowledged receipt of a ransom note from REvil – the same group behind the JBS USA ransomware attack.
“The attack over the weekend underscores the need for companies and government agencies, as well, to focus on improving cybersecurity, and we’ve talked a bit in the past about the importance of private sector entities hardening their own cybersecurity putting in place, best practices that have been recommended by the federal government for some time,” White House Press Secretary Jen Psaki said today.
“We are going to continue to be partners because it’s important to, of course, protect our critical infrastructure, but also protect it … [and] play what role we can from the Federal government to ensure that impacts on smaller businesses, on mom-and-pop shops, are minimized as well,” Psaki continued.
As of July 6, Kaseya said that fewer than 60 of its own customers were affected and said the critical infrastructure it protects was not at risk. REvil, which operates out of Russia but has ransomware threat actors operating in different countries, has demanded $70 million in ransom, according to a Reuters report.
The FBI and CISA have been working with Kaseya since the attack was first discovered and announced July 2, according to Deputy National Security Advisor for Cyber Anne Neuberger.
Psaki said today there have been conversations already at the national security level between America and Russia, though she reiterated both that the intelligence community is not done assessing credit for the attack, and the difference between criminal groups acting in Russia and the Russian government.
“As the President made clear to President Putin when they met, if the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action, or reserve the right to take action on our own,” Psaki said. “Now in this case, … the Intel intelligence community has not yet attributed the attack, [but] the cybersecurity community agrees that REvil operates out of Russia with affiliates around the world. So, we will continue to allow that assessment to continue. But in our conversations … we are continuing to convey that message clearly.”
CISA issued a notice of the attack July 2, and released joint guidance with the FBI on July 4 about how to best mitigate the potential intrusion. Kaseya has said there’s no evidence its codebase was affected but detailed that threat actors used zero-day exploits to get past authorization requirements.
While the true extent of the attack is hard to assess right now – due to most of the damage being done downstream in the supply chain – some on the industry side have placed this as one of the worst to date.
“This is one of the worst attacks to hit the IT channel to date, and unfortunately, it won’t be the last. Kaseya is an unfortunate victim. Any vendor could be next,” MJ Shoer, a senior vice president and executive director for CompTIA, said in an email to its members. Shoer also revealed that at least one CompTIA member was among those affected by the attack.
Psaki said Biden is meeting with the interagency group tasked with the strategic review of the rise of ransomware tomorrow, July 7.
She also announced that a meeting to discuss ransomware specifically with Putin is scheduled for some time next week. The latter may now have an additional topic of interest in addition to a string of recent cyberattacks, and specifically ransomware attacks, that have appeared to originate or be housed within the Russian borders.