Tietoevry is one of Europe's largest IT service providers. The attack's impact in Sweden was particularly severe, affecting various organizations, including Sweden's largest cinema chain Filmstaden, discount chain Rusta, as well as Swedish government agencies, municipalities and universities. In the Uppsala region, even the healthcare system was affected.
Behind the attack was Akira ransomware, launched in March 2023. It has been involved in double-extortion attacks, targeting organizations through weaknesses in network security, often exploiting vulnerabilities in Cisco VPN implementations.
According to the Swedish newspaper Dagens Nyheter, in many cases, the customers' data is permanently lost because the attackers encrypted not only the customer data but also Tietoevry's backups, which the company was contractually obligated to maintain. The head of Tietoevry Tech Services in Sweden stated that the company does not know how the criminals were able to penetrate the IT systems or what vulnerabilities were exploited due to the fact that they also encrypted Tietoevry's log files, which makes it more difficult to investigate the incident.
This raises some critical questions:
How did the attackers gain access?Understanding the specific vulnerabilities or methods used by the attackers to penetrate Tietoevry's systems is crucial for preventing similar breaches in the future. This might involve forensic analysis to trace the attackers' steps and identify the exploited vulnerabilities. It could range from phishing attacks to exploiting unpatched software vulnerabilities.
Why were the backups also vulnerable to the attack?Backup data is typically safeguarded against such attacks. There are several possible strategies and best practices to protect backup data, like "Air Gapping," which keeps a copy of the backup offline in an air-gapped system (not connected to any network), or the "3-2-1 Backup Strategy," which involves having three total copies of the data, two of which are on different storage types and one copy offsite.
If backup systems are continuously synchronized with the primary data, there is a risk that ransomware can quickly propagate to the backups before the attack is detected and isolated. Without proper network segmentation, ransomware can easily spread from the primary data storage to the backup storage.
Why could the log files be encrypted?Encrypting log files is a tactic used by attackers to hinder the forensic investigation following a cyberattack. Log files typically record events and transactions that occur within an organization's systems, making them crucial for understanding how a breach occurred.
Protecting log files is essential for maintaining the integrity of a system. There are several strategies to ensure the safety of log files, including using WORM (Write Once, Read Many) storage, which allows data to be written to a storage medium once and prevents it from being modified or deleted.
Utilizing real-time backup and synchronization of the log files to a secure, separate location ensures that even if the primary log files are encrypted, copies are available for investigation and recovery.
Employing strict control of who has the authority to access and modify log files can prevent unauthorized access, which is often a precursor to such attacks.
How effective was the existing monitoring and alerting system?The question raised is whether monitoring and alerting mechanisms were in place and how effective they were at detecting unusual activities, such as unauthorized access and changes to data, including the encryption of files, and how quickly and effectively they alerted the relevant teams.
Improving monitoring and alerting involves several strategies such as "Integrated Security Information and Event Management" (SIEM) to aggregate and analyze log data from various sources in real-time, implementing automated response mechanisms that can take immediate, predefined actions upon detection of certain types of threats, such as isolating infected systems and setting up redundant monitoring systems to ensure continuous surveillance, even if one system fails or is compromised.
🌟 Support My Quest
If the content within these pages has enriched your journey, consider showing your support by sharing a potion of coffee with me. Such a gesture, though small, is a mighty boon to my spirit and craft. It allows me to continue sharing the lore you hold dear.
Let it be known that the posts I pen are born from my own personal opinions and musings, presented before you in earnest, free of shadowed veils or hidden alliances. If you find truth and heart within my words, consider supporting me with a coffee. And believe me, as a father of two young spirits, this potion is indeed the elixir of my vigilance and creativity.
Beyond sharing my journey and insights, I craft customized solutions in the realm of tech to empower and fortify your own domains.
Further Reading
- BleepingComputer, Lawrence Abrams: Tietoevry ransomware attack causes outages for Swedish firms, cities
- ComputerBase, Marc Stöckel: Cyberangriff auf Tietoevry: Großer IT-Dienstleister verliert Kundendaten dauerhaft
- tietoevry: UPDATE: Ransomware attack affecting Tietoevry’s services for some customers in Sweden
- Dagens Nyheter: 20 år av data borta – hackarna kom åt säkerhetskopior
Comments
No comment on this post yet... Initiate the dialogue - be the first to illuminate this page with your thoughts!