SHI International Malware Attack: 5 Big Things To Know

From delays to restoring some systems to potential impact on customers, here are five things customers and partners need to know about the recent malware cyberattack on SHI International.

The Malware Attack On SHI

A day after confirming it was hit by a “coordinated and professional malware attack” over the Fourth of July holiday weekend, IT solution provider powerhouse SHI International has remained largely mum about what’s happening.

The Somerset, N.J.-based company’s website is still largely down, except for a simple black-and-white text message posted on the website’s front page that briefly explains the nature and impact of the “recent security incident.’”

In the website message and a separate blog post, SHI—a $12 billion private company with more than 5,000 employees worldwide—tries to reassure the public that its security experts are handling the issue. It added there’s “no evidence to suggest that customer data was exfiltrated during the attack” and that “no third-party systems in the SHI supply chain were affected.”

Cyber and ransomware attacks on large MSPs like SHI as well as MSP security vendors has accelerated over the past few years.

In fact, earlier this year various government agencies from across the globe—included the FBI and National Security Agency (NSA)—warned they were observing an increase in cyberattacks targeting MSPs.

The United Kingdom, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities said they “expect malicious cyber actors—including state-sponsored advanced persistent threat (APT) groups—to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships,” said the cybersecurity agencies in a joint statement in May.

SHI, ranked No. 13 on CRN’s 2022 Solution Provider 500 list, provides services to more than 15,000 enterprise, public sector and academic customer organizations around the world.

CRN breaks down the five biggest things SHI customers and partners need to know about the malware attack and the thoughts of security experts about the nature of the attack.

Delay In Restoring Some Systems: It May Be A Good Sign

SHI says the “coordinated and professional malware attack” occurred over the Fourth of July holiday weekend. It doesn’t say which day or days, specifically.

The company praised the “quick reaction of the security and IT teams at SHI” for identifying the attack and taking immediate action.

“These preventative measures included taking some systems, including SHI’s public websites and email, offline while the attack was investigated and the integrity of those systems was assessed.”

Though the company said that its staff has access to email again and that the firm “continues to work on bringing back other systems back to full availability in a secure and reliable manner,” the company’s website remained down as of early afternoon on Thursday.

Kevin McDonald, the COO and CISO at Alvaka Networks, an advance network service provider, said it’s actually a “good sign” that some of SHI’s internal systems are still down. Why? Because it may indicate the firm is being thorough in its review of software and in addressing real and potential problems tied to the attack.

Too often, companies that get attacked put too high a premium on getting systems back up, rather than making sure they’re safe, said McDonald.

“Nothing about the delay in restoring services surprises me,” he said of SHI’s apparent slow recovery of services. “I’m actually encouraged by what I’m seeing.”

Impact On Customers: What ‘No Evidence’ Of Theft May Really Mean

In SHI’s message about the incident, the company tries to reassure customers that their data and systems are safe, saying there’s “no evidence to suggest that customer data was exfiltrated during the attack. No third-party systems in the SHI supply chain were affected.”

Alvaka Networks’ McDonald said the words “no evidence” can be a little slippery since there’s also “no evidence” that data wasn’t stolen, etc. In other words, it may be too early to say what the impact might be on customers.

Still, McDonald said he thinks there’s a good chance SHI successfully isolated networks (also known as “network segregation”) in order to contain the attack and protect its clients.

“My hunch is that it wasn’t the nightmare scenario” that the attackers intended, he said.

SHI Attack Shows MSPs Are Becoming A Favorite Target

The malware attack hitting SHI’s network is yet another sign that MSPs are becoming a favorite target of hackers as MSPs often hold and manage vast amounts of customer data and critical information.

Many of the largest MSPs and MSPs security vendors have been breached by cyber criminals over the past two years.

In fact, SHI’s July 4 holiday weekend attack is somewhat similar to last year’s massive July 4 weekend breach on Kaseya.

A group of cyber criminals knows as the REvil gang exploited a vulnerability in Kaseya’s on-premise VSA remote monitoring and management (RMM) tool over the holiday weekend in 2021. The breach compromised nearly 60 MSPs and encrypted the data to demand ransom payments from up to 1,500 of their end user customers.

REvil also demanded $70 million from Kaseya to decrypt victim files.

Similar attacks on large MSPs are occurring at a fast rate.

One of the largest MSPs and service providers in the world, Accenture, was hit last year by a ransomware attack, with the hackers reportedly gaining access through an airport that was using Accenture software and encrypted its systems.

The cybercriminal group, known as LockBit, demanded a $50 million ransom payment to stop the leak of 6 terabytes of data they had allegedly stolen from Accenture.

Danny Jenkins, CEO of the innovative cybersecurity firm ThreatLocker, says MSPs—not large government and financial institutions—are the new ransomware target for hackers.

“Something changed in the last decade where these hackers realized … [MSPs] don’t have nearly the security that Bank of America or the Department of Defense does,” Jenkins told an audience of MSPs at a CRN conference in October. “With a little bit of planning, I can figure out what security software they use, figure out what their staff is like, figure out who they do business with, and now, I can send them direct emails.”

Who Launched The Attack?

It’s not clear what SHI meant when it described the attack as “coordinated and professional,” the latter word being a somewhat odd way to describe likely criminal activity.

In any event, it’s easy to jump to the conclusion that an apparently sophisticated attack was launched by sophisticated attackers, such as nation-state or other bad threat actors. That may well be the case here.

Then again, a “low-level attacker” might have just lucked out and found a way into SHI’s system, perhaps finding a vulnerability left behind by one of SHI’s 5,000 employees, McDonald said.

But McDonald noted the odds are that SHI was indeed targeted by sophisticated bad actors.

He also said it’s likely that it wasn’t just a malware attack – but an all-out ransomware attack that may or may not have been thwarted by SHI.

“It often turns out that malware attacks are indeed (extortion) plays,” he said, whose company has experts on ransomware attacks,

What Are The Feds Doing?

In its message to the public, SHI said it’s “liaising with federal bodies including the FBI and CISA.”

So this must mean this is a serious situation needing serious involvement of serious players to combat a serious cyberthreat. Right? Probably. But not necessarily.

McDonald says companies hit by cyberattacks will often mention that law enforcement agencies have been contacted, as a way to reassure the public that they’re taking steps to address a problem.

“It’s a great way to make people feel warm and fuzzy,” he said.

Still, McDonald noted that New Jersey-based SHI is a very large IT player in America – and that he wouldn’t be surprised if the company called in the FBI and CISA calvary.

CRN did seek comment from the FBI and CISA about the SHI case, but has yet to hear back from the federal agencies.