Ransomware attack affecting Tietoevry's services to some customers in Sweden
tietoevry.comTietoevry is one of these firms MBAs use to dismantle the it-department and outsorce it to.
I've always thought these centralized point of failures are a bad idea.
With extra sauce of numerous mergers and rebrandings. So, every 3 to 7 years, this phoenix of shit is reborn
> With extra sauce of numerous mergers and rebrandings
That's actually a good hypothesis that hasn't been examined before, I believe.
TBF, it's been called Tieto-something for thirty years or so. The most recent merger is visible as a suffix until the next one. Except if there isn't one for a while, then they revert to just Tieto after a few years.
Source: Worked at "TT Tietotehdas" (organic part of the name, not a suffix, AIUI) in 1996 and have had to do with it every now and then after that.
On the “suffix” side there was EDB -> rebranded EDB -> EDBErgoGroup -> Evry in several years. Also changed hands following a loss of major customer in 2015 before being merged with Tieto
Sure, but I wasn't thinking about this particular case but more generally. We have all sorts of results already on M&As from which to draw.
Seen people speculate online that everything in AS25473 and AS34950 is affected, and that unpatched Ivanti Endpoint Manager Mobile could be the entry point https://www.shodan.io/host/193.8.33.135
Not sure how credible that is? I don't understand how that could take down the whole data center.
BleepingComputer's coverage[1] has this tidbit:
> BleepingComputer has been told that the Akira ransomware operation is behind the attack on Tietoevry, coming soon after the Finnish government warned about their ongoing attacks against companies in the country.
> "The incidents were particularly related to weakly secured Cisco VPN implementations or their unpatched vulnerabilities. Recovery is usually hard," warned the Finnish NCSC.
I wonder what the entrypoint was back in 2021 when they were attacked around the same time?
[1]: https://www.bleepingcomputer.com/news/security/tietoevry-ran...
Probably unrelated, but their software offering in healthcare is riddled with bad practices.
Certainly unrelated. And when compared to the biggest competition (Apotti/Epic) it's a shining light of sanity... though some other providers have better user experiences.
"One of Tietoevry’s several datacenters in Sweden has become partially subject to a ransomware attack."
Sounds bad.
Yeah. From what I know at least Filmstaden (Swedens biggest cinema chain, owned by AMC) can’t sell a thing right now. No tickets can be sold at all, and no snacks can be sold at the cinema either :(
Rusta is another affected store chain. I guess there is a lot more affected customers unknown to the public right now
In a meeting right now, team lead just recounted how she'd had to pay in cash at Rusta (ESpoo, I assume) yesterday or the other day because card payment wasn't working. "I was lucky to happen to have cash on me, others turned around and left."
Granngården is another.
Yeah, and parts of Vellinge Kommun as well. Apparently a lot of their day-to-day-systems are affected [0].
Also, a HR system called primula is affected. It is mostly used by universities from what I can gather.
[0] = https://www.dn.se/sverige/it-attacken-paverkar-myndigheter-o... (Swedish, one of the biggest newspaper in Sweden)
lol yeah. Primula is affected. So no one can apply for vacation, business travel, reimbursement, or even parental leave.
Time to work work work work..
It only affecting one datacenter is good news, IMO:
It makes it likely that the attackers didn't breach Tietoevry itself, or that they had only very limited access (unless Tietoevry has incredibly good separation between business units, so that only a small subset is affected).
That increases the chance that the customers have to deal with an outage, not an outage followed by ransom demands and their customer data being leaked.
They obviously had no separation at all between customers within the DC though. Which is worrying.
At the moment word is that attackers encrypted Tietoevrys hypervisor platform (Hyper-V, vSphere or KVM not known) which was hosting multiple customers VMs. So attackers breached Tietoevrys management network, not customer networks.
TietoEvry do the same in Norway, where accounts are prefixed with customer name.