Coop's business restored within 6 days after Kaseya attack

Back in Business After the Largest Ransomware Attack of All Time

With checkouts suddenly encrypted and thousands of customers unable to pay, Swedish supermarket chain Coop was forced into an urgent, nationwide lockdown of its stores. They needed help – now. Fifteen minutes after they made the call, Truesec’s Incident Response Team got started on the case.

  • Insight

When encryption messages started to show on the displays of supermarket chain Coop’s tills and self-service checkouts, they quickly realized they were under serious threat. As troubleshooting begun, Coop had no choice but to urgently close around 700 of its 800 stores. And it was about to get worse. Not only had Coop become a victim through a third-party supply chain attack – the Kaseya attack would later be described as the largest ransomware attack of all time. Only 15 minutes after Coop made the call to Truesec, the Incident Response Team got to work – and within 6 days, all of Coop’s stores were reopened and back in business.

Friday night, July 2, 2021. Sweden is in the middle of a record heatwave. Most urban Swedes have left the cities and were instead cozied up in their cottages or enjoying the salty sea breeze in the archipelago. Supermarket chain Coop’s Chief Information Officer, Liselotte Andersson has also started her weekend activities. Still luckily unaware that those relaxing days will soon end.

With over 800 stores located all over the country, food chain Coop is one of the largest and most well-known players in Sweden. However, at 19:00 that Friday night, that “Thank God it’s Friday” feeling was nowhere to be found for the thousands of Coop customers that suddenly couldn’t pay for their weekend groceries. Encryption messages had started to show up on the displays, and the checkouts were abruptly locked.

You quickly realize that you want to be sure you’re doing the right thing and that you are not making things worse. And then when you’ve got things under control, you want to do everything right to get back in business as fast as possible.”

Liselotte Andersson, CIO at Coop

Supply Chain Attack Kaseya Forces Nationwide Lockdown of Coop’s Stores

What was going on? And was this something only affecting the stores, or could more systems be infected? How bad was it? As troubleshooting began, Coop had to temporarily close their stores. Liselotte and her team realized they needed external support to sort out this incident – quickly.

Prior to the attack, team member Erik van Woerkens, Cybersecurity Architect at Coop, had proactively researched suitable cybersecurity partners and came across Truesec. They decided to give Truesec a try.

When in the middle of a cybersecurity crisis, every minute count. Who you have by your side truly matters, and soon, Coop received an update from Truesec. The malfunction in the checkouts was due to a supply chain attack; a form of attack allowing a hacker to strike a huge number of victims in a single blow. The attack affected Coop’s checkouts, their Shop Express self-scanning services and Express checkouts, scales, gates as well as all payment management within the stores. All deliveries from Coop’s online stock were also affected by the attack. Thankfully, no other IT systems at Coop were affected, and no customer data was in any way affected.

The attack originated from a known threat actor exploited a previously unknown vulnerability in one Kaseya’s products. Although Coop didn’t directly work with the Miami-based American software company, their systems had become infected through the solutions provided by Coop’s payment systems supplier Visma Esscom, which used Kaseya’s software in its provided solutions. With about 800 stores in the country, as well as an online store, there was obviously no way to hide what was going on; neither was this ever something considered by Coop.

Incident and Crisis Management by Cybersecurity Experts

But how do you communicate in the middle of an attack? When is it secure enough to communicate? And what if what’s communicated makes things even worse? Parallel to securing and restoring Coop’s IT environment, Truesec’s team also supported, guided, and advised Coop throughout the process by complex problem solving and crisis management.

After performing the initial triage phase and assessing Coop’s capabilities for action, the CSIRT, Truesec’s Cybersecurity Incident Response Team, came up with a plan that could minimize downtime at the stores. The major plan consisted of multiple parallel workstreams that were divided into different teams. At its peak, the entire operation involved more than 300 people. Due to the combined efforts made, the forensic investigation closed on record time and the CSIRT was able to concentrate on Incident Management and automating recovery operations. One of the key gains in the approach was automating the re-installation of more than 700 store-servers with the unique settings and store information. The goal was to shorten the working hours demanded for system recovery.

Business Restored Within Days and All Stores Reopened After Six Days

For a large supermarket chain, time is money and getting back to work is crucial for both business and brand. Two days after the attack, Coop could start to reopen stores at a rapid pace. Within six days, Coop was able to reopen all their stores and welcome their customers back again. With stores all over the country, Coop’s journey to further strengthen and improve their cybersecurity continues. And going forward, it will be with their new friends at Truesec by their side.