Joe Biden has said his government is not sure who was behind a major ransomware attack that hit hundreds of US businesses – but he did not rule out Russian influence.
A “colossal and devastating” ransomware attack is thought to have paralysed the networks of at least 200 US companies.
The federal Cybersecurity and Infrastructure Security Agency has said it is closely monitoring the situation and is working with the FBI to collect more information about the impact of the attack.
President Biden said the government’s “initial thinking” is that it was not Russian hackers that was behind the attack, but adds that they “weren’t sure yet”.
The president added he has told intelligence agencies to investigate, and that if it was a Russian attack, there will be a response.
The Swedish Coop grocery store chain closed all its 800 stores on Saturday after its American IT provider was hit by the attack, leaving it unable to operate its cash registers.
John Hammond of the security firm Huntress Labs said earlier that the REvil gang, a major Russian-speaking ransomware syndicate, appears to be responsible for the attack.
REvil steals data from its targets before activating the ransomware to strengthen its extortion efforts.
Mr Hammond said the criminals targeted a software supplier called Kaseya, using its network management as a way to spread the ransomware through cloud-service providers.
“Kaseya handles large enterprise all the way to small businesses globally, so ultimately, (this) has the potential to spread to any size or scale business,” he said on Twitter.
“This is a colossal and devastating supply chain attack.”
He added he was aware of four companies that host IT infrastructure for multiple customers being hit by the ransomware, which encrypts networks until the victims pay off attackers.
“We currently have three Huntress partners who are impacted with roughly 200 businesses that have been encrypted,” he said.
Experts believe the attack was deliberately timed to coincide with the 4 July holiday weekend, when less IT staff are traditionally on duty.
Such cyberattacks typically infiltrate widely-used software and spread malware as it updates automatically.
It is not yet clear how many Kaseya customers might be affected or who they might be.
Kaseya said the attack was limited to a “small number” of its customers and had urged them to immediately shut down servers running the affected software.
Privately-run Kaseya says it is based in Dublin and has its US headquarters in Miami.