Swedish supermarket chain Coop has shut down approximately 500 stores after they were affected by an REvil ransomware attack targeting managed service providers through a supply-chain attack.
Coop Sweden says it closed more than half of its 800 stores on Friday after point-of-sale tills and self-service checkouts stopped working.
The supermarket was not itself targeted by hackers – but is one of a growing number of organizations affected by an attack on a large software supplier the company uses indirectly.
Cyber-security firm Huntress Labs said the hack targeted Florida-based IT company Kaseya before spreading through corporate networks that use its software. The firm believes the Russia-linked REvil ransomware gang was responsible.
Kaseya said in a statement on its own website that it was investigating a “potential attack”.
A spokeswoman for Coop Sweden told the BBC: “We first noticed problems in a small number of stores on Friday evening around 6:30 pm so we closed those stores early. Then overnight we realized it was much bigger and we took the decision not to open most of our stores this morning so that our teams could work out how to fix it.
“The whole paying system at our tills and our self-service checkouts stopped working so we need time to reboot the system.”
It’s understood that Coop doesn’t use Kesaya directly on it’s systems but that one of their software providers does.
The case highlights the growing concern in the cyber-security world about so-called supply chain attacks where hackers are able to claim multiple victims by attacking their suppliers.
The US Cybersecurity and Infrastructure Agency, a federal body, said in a statement that it was taking action to address the attack and urging users of the Kesaya software to shut it down.
The UK’s National Cyber Security Centre said: “We are aware of a cyber incident involving Kaseya, and we are working to fully understand its impact.
“Ransomware is a growing, global cyber threat, and all organisations should take immediate steps to limit risk and follow our advice on how to put in place robust defences to protect their networks.”
The cyber-breach looks to have been timed for maximum disruption as it emerged on Friday afternoon when companies across the US were clocking off for the long Independence Day weekend.
Kaseya is urging customers that use its VSA tool to immediately shut down their servers.
Kaseya said in its statement that a “small number” of companies had been affected, though Huntress Labs said the number was greater than 200.
Kaseya’s website says it has a presence in more than 10 countries and over 10,000 customers.
