Internet service provider RSAWeb has confirmed that the major network disruption it faced last week – and is still dealing with today – was caused by a “highly sophisticated cyberattack”.
That’s according to a MyBroadband report which cites a letter from RSAWeb CEO Rudy van Staden sent to the provider’s clients on Sunday evening.
The truth doesn’t always set you free
RSAWeb, and by extension all of its customers, hasn’t had a great February so far. Last week Wednesday, 1 February, the ISP reported a “service-impacting event” affecting its core systems, fibre, web hosting, mobile, and VoIP and PBX (private branch exchange) services. By the end of the week, many of those services were still down.
Although the company provided regular updates via its status page and Twitter and Facebook accounts, it gave little indication of the root cause or severity of the problem. Nor did it provide most of its customers with a concrete timeline for repair completion. That makes a whole lot more sense now.
As you may or may not know, a ransomware attack usually involves someone, or a malicious group, gaining access to secure systems, encrypting any data they can, and then forcing the victim to pay for the decryption key.
If that sounds like gibberish, imagine someone breaking into your home when you aren’t there, changing all the locks, and then charging you millions for the new keys.
According to MyBroadband, the company alerted its biggest business customers last week that it was the target of a ransomware attack and it was working to decrypt and recover customer data. In this case, the public radio silence from RSAWeb makes sense.
In the home analogy, if you’re locked out and trying to change the locks from the outside to regain access, you don’t want those already inside to know what you’re doing until you’ve already done it. Or until you’ve at least had some time to make progress. Doing so would make you a target not only to those inside but also to any opportunists walking past.
Clean up on isle RSAWeb
Van Staden’s email reportedly states the provider was targeted in a “highly sophisticated cyberattack.” When it became aware of the attack, it immediately took steps to contain the threat and secure its systems.
“Given the sophisticated nature of this attack, the recovery process is highly complex. We are currently in the process of restoring these services and expect to have the majority of these customers restored within the next 24 hours, with the remainder thereafter.”
Thankfully, Van Staden does not believe the attacker(s) had access to any customer or employee data that they might use to further exploit users via social engineering methods, like phishing scams.
RSAWeb has not yet disclosed the specifics of the attack which, as we know, leads to more speculation. The leading online theory is that the hackers used an exploit in VMware ESXi to gain remote access to RSAWeb’s systems. If this was the case, let’s hope all other local ISPs using VMware ESXi have since updated their servers.
Luckily for RSAWeb and all of its customers, the exploit is well-documented and there are steps victims of this attack can follow to restore encrypted data — which is hopefully what it’s busy with now.