Computer code in Kaseya attack avoided Russian systems

Last week, service provider Kaseya went through a huge ransomware attack, which is touted to be the biggest the world has ever seen. Since then, new developments have been noticed, and new facts are coming to light. One such fact claims that the computer code behind the ransomware attack, orchestrated by Russia-linked hacking group REvil, had been written to avoid systems that primarily rely on Russian or other related languages. The news was revealed by the report published by a cybersecurity firm and was first covered by NBC News.


Kaseya ransomware attack
Image Credits: Kaseya

To Avoid Local Ire

The firm in question is Trustware SpiderLabs, which holds that the computer code was so designed to not interfere with the day to day functioning of local authorities, something that would probably have invited an action otherwise. The malware mostly avoided systems that rely on the following languages: Russian, Belarusian, Armenian, Tatar, Uzbek, Tajik, Ukrainian, Azerbaijani, Romanian, Kyrgyz, Turkmen, Georgian, Syriac, Russian Moldova, Kazakh, and Syriac Arabic.

This is yet another claim supporting the theory that most of the ransomware attacks that occur anywhere in the world can eventually be traced back to Russia. The recent discussions going on at the White House, which has recently decided to start treating ransomware attacks as threats to national security, are increasingly being directed towards possible offensive cyber operations against Russia.

US Taking Offense?

Even as US President Joe Biden said on Tuesday, the government is yet to ascertain beyond doubt where the attack on Kaseya originated from. While it did not have too big of an impact on life in the States, per se, many other countries, including New Zealand and Sweden, were among the worst hit, as around 1,500 organizations across the globe felt the effects.

What’s even more disturbing to the authorities is the never-seen-before sophistication with which this particular operation was carried out. An IT firm was infected through a specific vulnerability that was up till now unknown. The IT firm then spread the infection to hundreds of its direct customers, which in turn transmitted it to their end-users.

Colonial was under ransomware attack
Image Credits: Colonial Pipeline

The attack by REvil came just months after another large-scale ransomware cybersecurity attack had shaken the US. Back then, DarkSide, another hacking group with links to Russia (which has reportedly disbanded), had taken the responsibility of infiltrating the systems at Colonial Pipeline, which had caused a complete shutdown, resulting in soaring fuel prices across the country.