Featured image
Truesec pattern
Case
Coop's business restored within 6 days after Kaseya attack

Back in Business After the Largest Ransomware Attack of All Time

With checkouts suddenly encrypted and thousands of customers unable to pay, Swedish supermarket chain Coop was forced into an urgent, nationwide lockdown of its stores. They needed help – now. Fifteen minutes after they made the call, Truesec’s Incident Response Team got started on the case.

Thanks to Truesec’s know-how, ways of working and calm approach, we managed to handle this cyber attack in an impressive way. It’s an almost priceless experience, to be honest.

Liselotte Andersson

CIO at Coop

Thanks to Truesec’s know-how, ways of working and calm approach, we managed to handle this cyber attack in an impressive way. It’s an almost priceless experience, to be honest.

It’s not a matter of if an attack will happen, as much as when it will happen. And when it does, it is such an intense situation. Especially when it is an attack of such a large scale as it was for us; it really brings another dimension to things.

Liselotte Andersson

CIO at Coop

It’s not a matter of if an attack will happen, as much as when it will happen. And when it does, it is such an intense situation. Especially when it is an attack of such a large scale as it was for us; it really brings another dimension to things.

Even if we weren’t a customer when we first got in touch with Truesec - within about fifteen minutes, they’d already set up our first meeting.

Erik van Woerkens

Cybersecurity Architect at Coop

Even if we weren’t a customer when we first got in touch with Truesec - within about fifteen minutes, they’d already set up our first meeting.
Share

When encryption messages started to show on the displays of supermarket chain Coop’s tills and self-service checkouts, they quickly realized they were under serious threat. As troubleshooting began, Coop had no choice but to urgently close around 700 of its 800 stores. And it was about to get worse. Not only had Coop become a victim through a third-party supply chain attack – the Kaseya attack would later be described as the largest ransomware attack of all time. Only 15 minutes after Coop made the call to Truesec, the Incident Response Team got to work – and within 6 days, all of Coop’s stores were reopened and back in business.

Friday night, July 2, 2021. Sweden is in the middle of a record heatwave. Most urban Swedes have left the cities and were instead cozied up in their cottages or enjoying the salty sea breeze in the archipelago. Supermarket chain Coop’s Chief Information Officer, Liselotte Andersson, has also started her weekend activities. Still luckily unaware that those relaxing days will soon end.

With over 800 stores located all over the country, the food chain Coop is one of the largest and most well-known players in Sweden. However, at 19:00 that Friday night, that “Thank God it’s Friday” feeling was nowhere to be found for the thousands of Coop customers who suddenly couldn’t pay for their weekend groceries. Encryption messages had started to show up on the displays, and the checkouts were abruptly locked.

You quickly realize that you want to be sure you’re doing the right thing and that you are not making things worse. And then, when you’ve got things under control, you want to do everything right to get back in business as fast as possible."
Liselotte Andersson, CIO at Coop

Supply Chain Attack Kaseya Forces Nationwide Lockdown of Coop's Stores

What was going on? And was this something only affecting the stores, or could more systems be infected? How bad was it? As troubleshooting began, Coop had to temporarily close their stores. Liselotte and her team realized they needed external support to sort out this incident – quickly.

Prior to the attack, team member Erik van Woerkens, Cybersecurity Architect at Coop, had proactively researched suitable cybersecurity partners and came across Truesec. They decided to give Truesec a try.

When in the middle of a cybersecurity crisis, every minute counts. Who you have by your side truly matters, and soon, Coop received an update from Truesec. The malfunction in the checkouts was due to a supply chain attack; a form of attack allowing a hacker to strike a huge number of victims in a single blow. The attack affected Coop’s checkouts, their Shop Express self-scanning services, and Express checkouts, scales, gates as well as all payment management within the stores. All deliveries from Coop’s online stock were also affected by the attack. Thankfully, no other IT systems at Coop were affected, and no customer data was in any way affected.

The attack originated from a known threat actor that exploited a previously unknown vulnerability in one of Kaseya’s products. Although Coop didn’t directly work with the Miami-based American software company, their systems had become infected through the solutions provided by Coop’s payment systems supplier Visma Esscom, which used Kaseya’s software in its provided solutions. With about 800 stores in the country, as well as an online store, there was obviously no way to hide what was going on; neither was this ever something considered by Coop.

Incident and Crisis Management by Cybersecurity Experts

But how do you communicate in the middle of an attack? When is it secure enough to communicate? And what if what’s communicated makes things even worse? Parallel to securing and restoring Coop’s IT environment, Truesec’s team also supported, guided, and advised Coop throughout the process through complex problem-solving and crisis management.

After performing the initial triage phase and assessing Coop’s capabilities for action, the CSIRT, Truesec’s Cybersecurity Incident Response Team, came up with a plan that could minimize downtime at the stores. The major plan consisted of multiple parallel workstreams that were divided into different teams. At its peak, the entire operation involved more than 300 people. Due to the combined efforts made, the forensic investigation closed on record time and the CSIRT was able to concentrate on Incident Management and automating recovery operations. One of the key gains in the approach was automating the re-installation of more than 700 store servers with unique settings and store information. The goal was to shorten the working hours demanded for system recovery.

Business Restored Within Days, and All Stores Reopened After Six Days

For a large supermarket chain, time is money, and getting back to work is crucial for both business and brand. Two days after the attack, Coop could start to reopen stores at a rapid pace. Within six days, Coop was able to reopen all their stores and welcome their customers back again. With stores all over the country, Coop’s journey to further strengthen and improve its cybersecurity continues. And going forward, it will be with their new friends at Truesec by their side.

How Truesec Helped Coop Through the Attack

  • Incident Management
  • Forensics
  • Recovery
  • Complex problem solving
  • Crisis Management and Communication

All the guidance, all the support we received from Truesec during that journey? Wonderful! Absolutely amazing. Truesec knew exactly what to do, when to do it and how to do it".

Liselotte Andersson

CIO at Coop

All the guidance, all the support we received from Truesec during that journey? Wonderful! Absolutely amazing. Truesec knew exactly what to do, when to do it and how to do it".

About Coop

One of Sweden's Most Well-Known Supermarket Chains
  • With roots originating from 1899, today, supermarket chain Coop is one of Sweden’s most well-known and trusted brands. In terms of number of stores, Coop is currently the second-largest industry player in Sweden.
  • In 2020, there were a total of 832 Coop stores in Sweden, and Coop held a 20 percent market share. The Coop Group’s turnover amounted to 7 billion SEK.
  • Coop’s largest owner is Kooperativa Förbundet (KF). KF is an economic association with 39 consumer-owned companies and associations as its clients.
  • Coop Sweden is responsible for the development and purchase of the product range, logistics, marketing and communications, and business support for Coop’s stores in Sweden.

Managing Cybersecurity?

Here’s Coop’s Best Advice for IT departments and Decision-Makers:
  • The Kaseya attack ought to have put cybersecurity on every management’s and board’s agendas. Use this knowledge and the current momentum to your organization’s advantage. If you become the victim of an attack, how would you handle it? Would you have done it even better than we did, or would you perhaps have had a worse scenario? Now is your chance to act and bring up the discussion!
  • There’s no such thing as 100 percent security. We could not have done anything to prevent what happened to us. However, our journey to improve our IT security and fail less continues, and we know now we ought to have a partner with us – to make it as good as we possibly can.
  • Remember your responsibility as a buyer. Whether your software is produced in-house or purchased externally, make sure you fully understand how your software works. Both from a technical point of view and regarding overall security and potential vulnerabilities.
  • Don’t be ashamed if you’ve been the victim of an attack. Today, IT is a crucial part of all businesses, thus involved and integrated in most processes. How ought one to stay on track with everything, catching up with the innovation pace as well as maintaining old systems? It is indeed a big challenge for all of us. Dare to be open and honest about what’s going on.

Talk to Us!

Interested in knowing how we can help you protect, detect, and respond to cyber attacks? We’re here to help and look forward to getting in contact with you.