A Swedish supermarket chain had to close more than half of its stores over the weekend as one of the biggest cyber-attacks in history disabled its self-service checkouts and tills.
Coop Sweden said that it was forced to shut down some 500 stores after it fell victim to an unusually sophisticated hack attack, which is believed to have been carried out by the Russia-linked ransomware gang REvil.
Ransomware attacks typically use encryption tools to lock away a company’s data and then demand a ransom payment in order to regain access.
The attack did not target Coop Sweden directly, but instead hijacked a desktop management tool used by the supermarket chain and infected it with a malicious update.
Thousands of businesses have been affected by the digital disease, but the shutdown of tills and self-service checkouts at Coop’s supermarket reflects how cyber-attacks are increasingly having a direct impact on consumers.
"One of our subcontractors was hit by a digital attack, and that’s why our checkouts aren’t working any more," Coop Sweden, which accounts for around 20 per cent of the country’s supermarket sector, said in a statement.
"We regret the situation and will do all we can to reopen swiftly," it added, without identifying the type of malware which had been used in the attack.
Therese Kapp, a Coop Sweden spokeswoman, said that despite a night of "troubleshooting and restoring" the stores would have to remain closed on Sunday.
According to TT, a Swedish news agency, railway services and a Swedish pharmaceutical chain had also been affected by the cyber-attack. They relied on the same desktop management tool as Coop, which is provided by the US tech firm Kaseya – the primary target of the attack.
Cyber security experts have warned that the major attack was designed to cause as much chaos as possible, as it was launched just before the start of a long weekend of July 4th celebrations in the United States.
"What we are seeing now in terms of victims is likely just the tip of the iceberg," said Adam Meyers, the senior vice president of security firm CrowdStrike.
"This attack didn’t involve just the network, but also the point of sale and the edge devices, affecting actual operations and putting the organisation under blackout," said Natali Tshuva, the CEO of Israeli cyber-security firm Sternum. "This emphasizes the need to secure and mitigate supply-chain risks."
In a statement late on Saturday, the FBI said it was investigating the attack along with the U.S. Cybersecurity and Infrastructure Security Agency [CISA].
"We encourage all who might be affected to employ the recommended mitigations and for users to follow Kaseya’s guidance to shut down VSA servers immediately," the CISA said.
Defence Minister Peter Hultqvist told Swedish television the attack was "very dangerous" and showed how business and state agencies needed to improve their preparedness.
"In a different geopolitical situation, it may be government actors who attack us in this way in order to shut down society and create chaos," he said.
Kaseya, which is based in Miami said it was working with the FBI and that only about 40 of its customers were directly impacted. It did not comment on how many of those were providers that in turn spread the malicious software to others.
However, one cybersecurity firm, Huntress Labs, has warned that the attack was designed to wreak havoc on as many as a thousand businesses.
Brett Callow, an analyst for cybersecurity company Emsisoft, said the scale of attack could be "without precedent."
President Joe Biden has ordered a full investigation into the cyber attack and has said he believes that there was Russian involvement, though he added that "the initial thinking was it was not the Russian government."
Speaking to reporters on Saturday, he added: "I’ll know better tomorrow, and if it is either with the knowledge of and, or, a consequence of Russia, then I told Putin we will respond."