Employees warned Kaseya’s higher-ups for years about critical security flaws in its software but their concerns were brushed off, former workers told Bloomberg. Several staffers quit in frustration or were fired after repeatedly sounding the alarm about failings in the IT firm’s cybersecurity practices. Now, Kaseya is at the center of a massive ransomware attack that’s ensnared more than 1,000 companies worldwide.
Between 2017 and 2020, employees reported “wide-ranging cybersecurity concerns” to their superiors, claiming that Kaseya used outdated code, implemented poor encryption, and didn’t routinely patch its software and servers, Bloomberg reports. That’s according to five former Kaseya employees who spoke with the outlet under the condition of anonymity because they had signed non-disclosure agreements or feared retaliation.
Two former employees said they warned executives about vulnerabilities in its antiquated Virtual System Administrator software—the system that hackers hijacked to launch this latest attack—that was supposedly so riddled with problems that they wanted it replaced. Kaseya’s customers, companies known as managed service providers or MSPs, provide remote IT services to hundreds of smaller businesses and use VSA servers to manage and send software updates to these clients.
According to initial reports, hackers gained access to Kaseya’s backend infrastructure to send malware disguised as a software update to VSA servers running on client premises. From there, they used the malicious update to install ransomware on every work station connected to VSA systems. The Russia-linked ransomware gang REvil has taken credit for this attack and is asking for a $70 million ransom to unlock all affected computers.
One former employee told Bloomberg that in 2019 he sent Kaseya higher-ups a 40-page memo outlining his security concerns, one of several attempts he made during his tenure to convince company leaders to address such issues. He was fired two weeks later, a decision he believes was related to these efforts, he said in an interview with the outlet. Others quit out of frustration after Kaseya appeared to focus on rolling out new product features over addressing existing vulnerabilities.
Another former employee claimed Kaseya stored unencrypted customer passwords on third-party platforms and rarely patched its software or servers. When the company began laying off employees in 2018 to outsource their jobs to Belarus, four of the five workers Bloomberg spoke with said they saw this decision as a potential security risk given Russia’s influence over the country.
Kaseya’s software had even been exploited in ransomware attacks before—at least twice between 2018 and 2019, according to the employees. Bafflingly, that still wasn’t enough to convince them to rethink their cybersecurity standards.
When reached for comment about these claims from its ex-staffers, Kaseya provided the following statement to Gizmodo:
“Kaseya’s focus is on the customers who have been affected and the people who have actual data and are trying to get to the bottom of it, not on random speculation by former employees or the wider world.”
Nonetheless, hackers have exploited similar vulnerabilities to the ones described here to launch widescale attacks before, so the employees’ claims aren’t that hard to believe. In December, SolarWinds was also targeted in a supply chain attack, aka when hackers exploit security vulnerabilities among third-party software vendors to target their customers. Up to 18,000 of its customers were compromised, including many major U.S. federal agencies and businesses.