Hundreds of businesses around the world, including one of Sweden’s largest grocery chains, grappled on Saturday with potential cybersecurity vulnerabilities after a software provider that provides services to more than 40,000 organizations, Kaseya, said it had been the victim of a “sophisticated cyberattack.”
Security researchers said the attack may have been carried out by REvil, a Russian cybercriminal group that the F.B.I. has said was behind the hacking of the world’s largest meat processor, JBS, in May.
In Sweden, the grocery retailer Coop was forced to close at least 800 stores on Saturday, according to Sebastian Elfors, a cybersecurity researcher for the security company Yubico. Outside Coop stores, signs turned customers away: “We have been hit by a large IT disturbance and our systems do not work.”
Mr. Elfors said a Swedish railway and a major pharmacy chain had also been affected by the Kaseya attack. “It’s totally devastating,” he said.
Asked about the cyberattack after he landed in Michigan on Saturday on a trip to celebrate Covid-19’s retreat in the United States, President Biden said he had been delayed in getting off the plane because he was being briefed about the attack. He said he had directed the “full resources of the federal government” to investigate. “The initial thinking was it was not the Russian government, but we’re not sure yet,” he said.
Victims of the breach were hit through a Kaseya software update, Kevin Beaumont, a threat researcher, said. Instead of getting Kaseya’s latest update, they received REvil’s ransomware. Kaseya was initially breached through a previously unknown vulnerability in its systems — known as a “zero day” because when such vulnerabilities are discovered, software makers have zero days to fix it. In the meantime, cybercriminals and spies can use the vulnerability to wreak havoc.
Mr. Beaumont said the attack marked a serious escalation in the tactics of ransomware gangs. In previous attacks, REvil was known to break in through a combination of phishing, stolen passwords or a lack of multifactor authentication.
Dutch researchers said they had reported the vulnerability to Kaseya, but the company was still working on a patch when it was breached and its software updates were compromised, according to people briefed on the timeline.
The attack became public on Friday, when Kaseya said that it was investigating the possibility that it had been the victim of a cyberattack. The company urged customers that use its systems management platform, called VSA, to immediately shut down their servers to avoid the possibility of being compromised by attackers.
“We are experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers only,” Kaseya posted on its website, referring to organizations that keep their software at their own sites rather than housing it with a cloud provider. “We are in the process of investigating the root cause of the incident with the utmost vigilance.”
Fred Voccola, Kaseya’s chief executive, said in a statement on Saturday that less than 40 customers had been affected by the attack, but those customers include so-called managed service providers, which can each provide security and tech tools to dozens or even hundreds of companies.
That has magnified the attack’s severity, said John Hammond, a researcher at the cybersecurity company Huntress Labs.
“What makes this attack stand out is the trickle-down effect, from the managed service provider to the small business,” Mr. Hammond said. “Kaseya handles large enterprise all the way to small businesses globally, so ultimately, it has the potential to spread to any size or scale business.”
Some of the affected companies were being asked for $5 million in ransom, Mr. Hammond said. Thousands of companies were at risk, he said.
The United States Cybersecurity and Infrastructure Security Agency described the incident in a statement on its website on Friday as a “supply-chain ransomware attack.” It urged Kaseya’s customers to shut down their servers and said it was investigating.
Hackers have carried out a slate of prominent cyberattacks against U.S. companies in recent months, including JBS and Colonial Pipeline, which moves fuel along the East Coast. Both were ransomware attacks, in which hackers try to shut down systems until a ransom is paid. The video game company Electronic Arts was also recently hacked, but its data was not held for ransom.
Nicole Perlroth and David E. Sanger contributed reporting.