What do we know about the cyberattack that forced hundreds of Swedish supermarkets to close?

AFP/The Local
AFP/The Local - [email protected]
What do we know about the cyberattack that forced hundreds of Swedish supermarkets to close?
A closed Coop store in Stockholm. Photo: Ali Lorestani/TT

Swedish supermarket chain Coop was forced to shut around 800 stores after a major cyberattack which has potentially also hit more than 1,000 companies worldwide.


Hackers are demanding $70 million in bitcoin in exchange for data stolen in the ransomware attack against Miami-based IT company Kaseya.

But what exactly is a ransomware attack, and who is behind this one? Here are some key questions about the attack, which has paralysed businesses since Friday.


How bad is it?

Ciaran Martin, cybersecurity professor at the University of Oxford, said this was "probably the biggest ransomware attack of all time", although the full scale of the damage remains unclear.

Kaseya says only "a very small number" of its direct customers were affected.

But Kaseya's clients include many smaller companies which in turn provide IT support to other businesses.

Huntress Labs, a cybersecurity firm working with partners targeted in the attack, has said it believes more than 1,000 companies may have been hit overall.

Among them are Swedish supermarket Coop, which has been forced to close hundreds of stores over the past three days after the hack pushed its checkouts offline.

Hackers claiming responsibility for the attack said they had infected "more than a million systems".


Why attack Kaseya?

This was what is known as a "supply chain attack", allowing the hackers to strike a huge number of victims with a single blow.

Kaseya provides IT services for some 40,000 small and medium-sized businesses worldwide – including smaller firms that manage the computers of other firms.

"It's using software that is used by many businesses in order to penetrate their networks," said French cybersecurity expert Loic Guezo, drawing a parallel with the spectacular attack against software firm SolarWinds last year.

Martin said that merging a supply chain attack with the motivation of extortion was new.

Most previous supply chain attacks, including SolarWinds, have been motivated by espionage, he said.

"Here, instead of getting that large-scale access to spy, they did it to deploy ransomware."


What's a ransomware attack?

Ransomware attacks typically involve locking away companies' or individuals' data using encryption, then making them pay to regain access.

Such digital hostage-taking is increasingly common. Last year alone, at least $18 billion was sent to hackers using ransomware, according to security firm Emsisoft.

"One of the things we've seen with ransomware over the past year or two is that the business model has got really sophisticated," Martin said.

"The hackers are researching targets and seeing if they've got insurance policies, so they can calculate what an affordable payout is."

Payments are usually demanded in cryptocurrency such as bitcoin, which helps perpetrators stay anonymous.

In this case the hackers are believed to be seeking ransoms of between $50,000 and $5 million from individual victims as well as the eye catching $70 million lump sum, Martin said.

The United States has found itself a particular target of ransomware attacks in recent months, including against SolarWinds and the Colonial oil pipeline.

The FBI has blamed those attacks on Russia-based hackers, and US President Joe Biden raised the issue with his counterpart Vladimir Putin at their summit last month.

Moscow, suspected of turning a blind eye to the hackers or even encouraging them, denies any involvement.

Who's behind the Kaseya attack?

Numerous experts have pointed the finger at a Russian-speaking hacking group known as REvil.

The demand for $70 million was posted on Happy Blog, a site on the dark web previously associated with REvil, who are also known as Sodinokibi.

The FBI believes REvil were also behind last month's attack on global meat processing giant JBS, which ended with the Brazil-based company paying bitcoin worth $11 million to the hackers.

REvil, who first emerged around 2019, work as part of a collective, sometimes sharing both their ransomware and their loot with other hackers who take part in the same attack.

They are seen as among the most dangerous ransomware attackers out there, carrying out around 29 percent of such attacks in 2020, according to a recent report by IBM's Security X-Force unit.

That report estimated that REvil took ransoms worth at least $123 million in 2020.

We'll be discussing this topic in more depth in the next episode of The Local's Sweden in Focus podcast on Saturday. Click HERE to listen.


Join the conversation in our comments section below. Share your own views and experience and if you have a question or suggestion for our journalists then email us at [email protected].
Please keep comments civil, constructive and on topic – and make sure to read our terms of use before getting involved.

Please log in to leave a comment.

See Also