SHI Calls In Forensic Expert, Law Enforcement After Cyberattack

The giant IT service provider acknowledges it’s still trying to ‘restore our systems and business processes’ nearly a week after the attack.

SHI International is confirming that it’s brought in a forensic service provider and law enforcement to help investigate last weekend’s major cyberattack that continues to plague the giant IT services provider.

In a blog post and new message posted on its website late Friday afternoon, Somerset, N.J.-based SHI, one of the largest IT service providers in the world, tried to reassure customers and others that it’s working to resolve issues related to the “cybersecurity incident over the 4th of July weekend.”

The message added: “We are working with a forensic service provider and law enforcement to investigate the incident. At this time, we have no evidence that any sensitive customer data was compromised.”

[RELATED STORY: SHI INTERNATIONAL MALWARE ATTACK: 5 BIG THINGS TO KNOW]

The company did not identify the forensic services company nor the law enforcement authorities involved.

With the exception of its web front page where it has now posted two messages related to the cyberattack, SHI’s website was still largely down as of late Saturday afternoon EST.

It’s unclear what other SHI systems and services might still be experiencing disruptions.

But SHI’s message on Friday indicated that more than just its website is down.

“We continue to work as quickly as possible to restore our systems and business processes,” SHI stated on Friday. “As those systems are restored, precautionary steps are being taken to verify their integrity.”

SHI has previously said in a statement, first reported on July 6, that there was “no evidence” that customer data had been exfiltrated during the initial attack over the July Fourth holiday weekend – and it largely repeated that message again on Friday.

“We take the protection of our customer and business data very seriously,” SHI said in its Friday message.

The company concluded: “We will continue to provide updates directly to customers and partners as new information becomes available.”

The firm has about out 15,000 corporate, public sector and other customers around the world.

SHI first confirmed this past Wednesday that its systems had been hacked over the holiday weekend, saying that it had been a “target of a coordinated and professional malware attack.”

In that initial message, the company said it was “liaising with federal bodies including the FBI and CISA.”

In response to a CRN inquiry, a spokeswoman at the Cybersecurity and Infrastructure Security Agency (CISA) said the agency was referring questions “back to the company for this inquiry.”

The FBI has yet to respond to CRN’s inquiry about the SHI attack.

Kevin McDonald, the COO and CISO at Alvaka Networks, an advanced network service provider, said it’s a good sign that SHI is bringing in a forensics expert. He said it shows the firm wants to know exactly what a happened over the Fourth of July weekend – and whether a threat actor was still lurking somewhere in its systems.

“I’m happy to see it,” he said of SHI calling in help.

Still, the fact it needs investigative help also indicates that there are still many unknowns associated with the attack.

“Anytime you bring in a (forensic expert) it means that they are concerned and not sure what the threat vector was,” said McDonald, who praised SHI for thoroughly probing the incident before restoring all its systems.

McDonald, whose firm specializes in responding to ransomware attacks, also said he wouldn’t be surprised if it turns out the SHI attack was really some sort of extortion scheme, and not just an attempt at a malware-related data breach.

The SHI incident comes as service providers, including MSPs, are facing increasing cyber-threats around the world.

Chester Wisniewski, principal research scientist at Sophos, said he couldn’t comment on the SHI case due to his firm’s commercial relationship with the company.

But in a statement to CRN, he noted in general cyber-threats are increasing against MSPs and other service providers.

“As more organizations are looking to external providers to provide them with security services and out-sourced SOC operations, some criminal groups have recognized the opportunity to have larger impacts by targeting managed service providers,” he said in the statement. “Sometimes this allows for higher ransom amounts due to the pressure to return these services to their previously functioning state, other times it is to target their downstream customers.”

He concluded: “All types of service providers should be on guard for these types of attacks, not just in the IT space, as we have seen how disruptive and costly these attacks have been around the world, from oil pipelines to payroll processing, service providers have an outsized impact when their operations are disrupted by these ruthless criminal gangs.”