In early July, software firm Kaseya confirmed it was struck by a “sophisticated cyberattack” that impacted users of its VSA software everywhere. The REvil threat group exploited a zero-day vulnerability (CVE-2021-30116) in the on-site Kaseya VSA server, initiating a supply-chain attack that claimed around 2,000 victims globally (most of whom were customers of Kaseya’s clients).
The Kaseya attack was especially impactful because of the volume of managed service providers (MSPs) using the firm’s software, which would have increased during the coronavirus pandemic. Cyberattackers seeking to scale their strikes needed to hit just one major software firm, such as Kaseya or SolarWinds, to reach into countless other businesses supported by MSPs using those tools.
Ben Hockman, our in-house Crisis Management and Response Subject Matter Expert, said, “If you view a supply chain as a big funnel, this attack hits the top of it. In these cases, the impacts further down the funnel are more complex to predict, detect, and respond to. In the case of Kaseya, the bottom of the impacted supply chain transcends from the cyber world into the physical – for example, customers being unable to purchase food from a retailer. And retail is just one component of a national and international agricultural and food supply chain, all potentially impacted collaterally by attacking the top of the funnel”.
REvil demanded $70 million for the stolen data’s return, forcing Kaseya into a tough (but all too familiar) situation. When quizzed on Kaseya’s stance, CEO Fred Voccola said, “I can’t comment yes, no, or maybe. No comment on anything to do with negotiating with terrorists in any way.”
Ransom payment is a hotly debated topic owing to the legal, ethical, and financial implications of such decisions (something we discuss at length here). If you pay, you perpetuate the ransomware trade; if you refuse, your business might not recover. How organizations communicate during an attack is therefore crucial.
While some firms opt to guard their secrets, those who are transparent typically fare better. Norsk Hydro is lauded as the cyber crisis response gold standard because it ditched the “sophisticated attack” rhetoric for cold, hard facts. More recently, FireEye was hacked by what it deemed nation-state hackers who stole some of its red team tools. Instead of hiding the facts or attempting to appease customers, spokesperson Sarah Coutermarsh said, “We’re actively investigating this incident with our partners at Microsoft and coordinating with the FBI. Please know that there may be some delay in our ability to share that information, as we do not want to do anything to interfere with the ability of the FBI to conduct its separate, ongoing investigation. We want to be absolutely certain we obtain all the evidence available to us to further advance this case, and some disclosures at this point would jeopardize that collection.”
Kaseya took a more personable approach with its comms; it vowed to provide cash assistance to customers but acknowledged this was not a panacea. Voccola said, “Throwing money at problems is not a way to solve them, [but] it is better than not throwing money at them. We are doing what we can do.” He also expressed remorse, adding, “I feel like I let this community down, I let my company down, our company let you down. I am not reading off a script. This is not BS – this is the reality.”
Communication, however, is just one facet of an organization’s crisis response.
Dive into the Kaseya crisis with the Cyber Crisis Simulator
During any cyberattack, the crisis management team must consider not only plans, policies, and procedures but also the people, political, technical, social, legal, regulatory, economic, financial, and commercial impacts. It must therefore practice and develop human factors such as situational awareness, communications, decision making, resource management, and teamwork. Effective pre-crisis planning involves uniting stakeholders, experiences, and skills from within (and sometimes outside) the business so that key areas are represented in the risk and crisis preparation, response, and recovery processes. Core crisis management teams typically incorporate legal, PR, HR, security, finance, and operations staff – so the best training systems are those that take a holistic approach, viewing crises through the lens of organizational impact.
We created our latest multirole simulation, Kaseya MSP Hack: Food Supply Chain Crisis, with this in mind. The sim puts your organization’s response unit in charge of American supermarket chain FreshCo, which mimics the Swedish Coop supermarkets forced to close because of the Kaseya hack. The scenario begins when you receive countrywide reports from stores that point of sale systems are failing. With stores unable to make customer payments and self-service tills also impacted, your team must limit the operational and reputational damage of the attack while managing customers and the media.
Our browser-based solution challenges your team to make critical decisions when dealing with emerging incidents and works on the principle that simulations are the best way to equip your people. Practical exercises such as our Kaseya-inspired sim build muscle memory in preparation for the real thing, honing crucial skills such as situational awareness, leadership, and decision making.
To see the Cyber Crisis Simulator in action, book a demo today.