President Joe Biden said on Saturday he has directed US intelligence agencies to investigate who was behind a sophisticated ransomware attack that hit hundreds of American businesses and led to suspicions of Russian gang involvement.
Security firm Huntress Labs said on Friday it believed the Russia-linked REvil ransomware gang was to blame for the latest ransomware outbreak. Last month, the FBI blamed the same group for paralysing meat packer JBS SA.
Mr Biden, on a visit to Michigan to promote his vaccination programme, was asked about the hack while shopping for pies at a cherry orchard market.
He said “we're not certain” who is behind the attack. “The initial thinking was it was not the Russian government but we're not sure yet,” he said.
Mr Biden said he had directed US intelligence agencies to investigate, and the United States will respond if they determine Russia is to blame.
During a summit in Geneva on June 16, Mr Biden urged Russian President Vladimir Putin to crack down on cyber hackers emanating from Russia, and warned of consequences if such ransomware attacks continued to proliferate.
Mr Biden said he would receive a briefing about the latest attack on Sunday.
“If it is either with the knowledge of and/or a consequence of Russia then I told Putin we will respond,” Mr Biden.
But Republicans were quick to pounce on Mr Biden and accusing him of being “weak” on Russia.
"Remember when President Biden gave Putin a list of things that were supposed to be off-limits for cyber attacks? What he SHOULD have said is that ALL American targets are off-limits,” Republican House leader Kevin McCarthy tweeted on Saturday, before accusing him of showing weakness against Mr Putin.
The hackers who struck on Friday hijacked widely used technology management software from a Miami-based supplier called Kaseya. They changed a Kaseya tool called VSA, used by companies that manage technology at smaller businesses. They then encrypted the files of those providers' customers simultaneously.
Huntress said it was tracking eight managed service providers that had been used to infect some 200 clients.
Kaseya said on its own website on Friday that it was investigating a “potential attack” on VSA, which is used by IT professionals to manage servers, desktops, network devices and printers.
“This is a colossal and devastating supply chain attack,” Huntress senior security researcher John Hammond said in an email, referring to an increasingly high profile hacker technique of hijacking one piece of software to compromise hundreds or thousands of users at a time.
In a statement on Friday, the US Cybersecurity and Infrastructure Security Agency said it was “taking action to understand and address the recent supply-chain ransomware attack” against Kaseya's VSA product.
The Federal Bureau of Investigations (FBI) said it is investigating the situation and contacting those who could have been targeted.
“We encourage all who might be affected to employ the recommended mitigations and for users to follow Kaseya's guidance to shut down VSA servers immediately,” the FBI added.
Some experts said the timing of attack, on the Friday before a long US holiday weekend, was aimed at spreading it as quickly as possible while employees were away from the job.
"What we are seeing now in terms of victims is likely just the tip of the iceberg," said Adam Meyers, senior vice president of security company CrowdStrike.
Swedish businesses are also feeling the impact of the hack. One of Sweden's biggest grocery chains, Coop, said a tool used to remotely update its checkout tills was affected by the attack, so payments could not be taken.
"We have been troubleshooting and restoring all night, but have communicated that we will need to keep the stores closed today," Coop spokesperson Therese Knapp told Swedish Television.
The Swedish news agency TT said Kaseya technology was used by the Swedish company Visma Esscom, which manages servers and devices for a number of Swedish businesses.
State railways services and a pharmacy chain also suffered disruption.
"They have been hit in various degrees," Visma Esscom chief executive Fabian Mogren told TT.
Defence Minister Peter Hultqvist told Swedish television the attack was "very dangerous" and showed how business and state agencies needed to improve their preparedness.
Supply chain attacks have crept to the top of the cybersecurity agenda after the United States accused hackers of operating at the Russian government's direction and tampering with a network monitoring tool built by Texas software firm SolarWinds.
On Thursday, US and British authorities said Russian spies accused of interfering in the 2016 US presidential election have spent much of the past two years abusing virtual private networks (VPNs) to target hundreds of organisations worldwide.
On Friday, Russia's embassy in Washington denied that charge.