In early July, a group of hackers known as REvil targeted Kaseya Ltd. in a widespread ransomware attack. Kaseya's VSA software is used by many companies to provide computer management services – resulting in an easy gateway to even more potential victims.
REvil claims to have infected a total of 1 million computers, but many cybersecurity experts believe that's a vast overestimate, citing the number closer to 40,000 computers worldwide. Those computers are tied to organizations including a large New Jersey educational services company, an outpatient surgical center in South Carolina, and one of Sweden's largest grocery chains, Coop.
This supply-chain attack is being called the largest and most significant in history, and the hackers are demanding a $70 million Bitcoin payment as ransom. While the ransom has reportedly not been paid, Kaseya's customers are on the slow road to recovery – thanks in part to swift responses from the FBI, President Joe Biden, and CISA.
It's evident that, when an attack or hack occurs, large companies and utilities have significant support. But, around the world, individuals are fighting their own personal wars against hackers and other forms of corruption. Often, they aren't offered the same resources. This is the story of one of those victims.
Over the same weekend, Kaseya was hacked, George* was facing his own cyber attack – and finding it almost impossible to get help.
The first attack
Things started going wrong long before the July 4th holiday weekend.
On April 25, 2021, George* checked his bank balance and noticed a pending withdrawal in the amount of $700 payable to the cryptocurrency and money exchange site Uphold. George logged into his Uphold account and found that someone had purchased the cryptocurrencies Dogecoin and Ethereum with the money.
George called his bank and had them place a cancel order on the $700 transaction. He then sent a customer support ticket to Uphold, asking them to stop the transaction and letting them know that his account on their site, and possibly the accounts of others, had been compromised.
Additionally, George filed a complaint with the FBI's cybersecurity reporting site ic3.gov and thought no more of the matter.
The second attack
On July 2, 2021, George received an email from the cryptocurrency exchange site Bittrex, informing him that someone had recently logged into his account. George hadn't been on Bittrex in a while; however, when he logged in, he saw that someone had sold all of the Bitcoin he held on the site and converted it into the cryptocurrency Tether. That person had then transferred the cryptocurrency to an address outside of Bittrex, making it unrecoverable.
The third attack
The day after the theft on Bitrex, George logged into Facebook and found that a page he had set up for a potential new business had been commandeered, and now displayed text written in the Cyrillic alphabet. George was so alarmed by this that he deleted the page – so unfortunately we can't show you what it looked like.
Even more incredibly, whoever had commandeered George's page was attempting to set up a Facebook ads campaign. Fortunately, Facebook had noticed something amiss and had balked at the attempt. The hacker then responded via email, stating that he had provided all the necessary documentation. George immediately changed his Facebook password, and he set up two-factor authentication on the site.
How did this happen?
Like many of us, George uses his email address and the same password on multiple sites. For example:
Password: Fred (the name of George's first dog).
If one of those sites gets hacked, or the user is a victim of phishing, then hackers the world over have that combination of username and password, which they are free to try out on multiple other sites. To see if your information has been compromised, you can go to a site such as Have I Been Pwned?
Here are just some of the data breaches that might have exposed George's email and password combination:
While the amount that was stolen from Bitrex wasn't large, George states that he felt like someone had come into his home and stolen from him. He immediately began checking the logins on all his accounts, especially those that involved documents or money.
That's when he says he found that his OneDrive cloud storage account had been accessed from the same IP address that had accessed Bittrex. Microsoft OneDrive is a file hosting and synchronization service that is operated by Microsoft as part of its web version of Office, and it is ubiquitous on Windows devices.
George's OneDrive account contained files that included many of his passwords, banking information, and tax returns.
George was able to see the Internet Protocol (IP) address from which the hacker was operating, and he traced it to the internet service provider (ISP) Midcontinent Communications, which is based in Sioux Falls, South Dakota.
Of course, tracing the IP address doesn't mean that the hacker is physically located somewhere near Topeka, Kansas, he could be using a Virtual Private Network (VPN) and be located anywhere in the world. He could also have taken over a legitimate user's computer, making it a "zombie," and be using it to launch his attacks.
On July 5, 2021, on George's behalf, we contacted Midcontinent Communications through their online chat forum, where we were able to interact with a representative.
Interesting Engineering: I have a security issue coming from Midco, before I report it to the Sioux Falls police and the FBI, I wanted to talk to someone at your company.
Roz (Midcontinent Communications): Hi, this is Roz with Midco! That's definitely not good that you're having security issues with us. I can absolutely do my best to help, may I know who I'm speaking with?
IE: [George's] computer was hacked starting in June from an IP address traceable to Midco. Just three days ago, [George] experienced the hacker stealing money out of one of [his] accounts. I have screen grabs of the hacker's activity.
R(MC): That's awful! I'm sorry to hear that you're being targeted like this. In this situation, the best thing to do is to file a police report, as we're not allowed to divulge information about other people's IP addresses unless it's to the police for an open case. Once we've been contacted by the police about the situation, we'll be able to take action from there.
IE: Roz, are you telling me that Midco doesn't have a Security Division that deals with this sort of thing?
R(MC): We absolutely have a security division, but it's policy to only accept information requests and take action based on police reports, as people have tried to commit fraudulent activity about such things in the past.
However, when the Sioux City Police Department was contacted, they stated that they don't handle cybercrimes and that George's only recourse was to file a report on the FBI's ic3.gov website.
This raised an obvious question: If the Sioux City Police Department doesn't handle cybercrimes, how exactly is a police report to be filed so that Midcontinent Communications can begin to examine the alleged hacker's behavior?
Another question is: How many other of Midcontinent's accounts have been hacked?
Who is responsible?
For this article, we attempted to reach Midcontinent Communications for comment but were unable to reach anyone via phone after the initial online chat. Their virtual assistant feature provided the following:
Midco: Hi, I'm Midco's virtual assistant. I'm here to help! I'd like to get to know you better. What’s your first name?
Interesting Engineering: I chatted with Roz on July 5, 2021. I'm a journalist with Interesting Engineering. We have a story coming out tomorrow in which we mention Midco, and I'm reaching out to someone at Midco for comment.
M: Are you currently a Midco customer? Select one:
M: Got it! Are you inquiring about services at your home or business? Select one:
M: Sorry. I didn't quite understand. (I'm still learning. 😃) What would you like to do?
IE: I would like to speak to someone.
M: Got it. Let’s get you to the next available expert. 😀
No one responded from that point on, confirming that some companies make it extremely difficult to speak to one of their human representatives. If companies, such as Midcontinent Communications, make it impossible to report hacking coming from one of the IP addresses they administer, that leaves everyone in jeopardy.
If local police departments fail to take a police report, or even an informational report, much less follow up on cases of theft by identify theft, more people will lose more money. We reached out to the Sioux Falls Police Department for comment on this article, and we spoke to the Front Desk Information Officer. When asked if he had any comment, he said, "No", then he refused to provide either his name or his badge number.
What you can do
While George reached out to us, he is certainly not the only one who is experiencing personal hacks and cyber attacks. According to Have I Been Pwned? 11,417,410,545 accounts have been compromised. Further, a Clark School study at the University of Maryland hacks occur every 39 seconds on average, affecting one in three Americans annually.
If you believe any of your accounts have been compromised, it's best to change your passwords, alert your banks, and be sure you've set up two-factor authentication. Proactively, learn how to spot a phishing attack, get a password manager, and scan your devices for viruses.
We're all vulnerable to cyber attacks – just like George. His story is unfortunately far from unique. More than ever, we need to look out for ourselves to avoid a similar fate. Especially if we can't get the help we need.
*Names have been changed to protect the identities of the individuals in this story.