SHI Malware Attack Knocks Website, Email Offline for Days

SHI Took Its Public Websites and Email Offline to Assess the System Integrity
SHI Malware Attack Knocks Website, Email Offline for Days

Adversaries targeting the IT industry have recently turned their sights upmarket, going after well-monied technology firms that manage the data and web traffic for the top of the Fortune 500.

See Also: Splunk Named a 10-Time Leader in Gartner® Magic Quadrant™ for SIEM

A New Jersey-based reseller became the latest example of the trend. SHI International this week disclosed a "coordinated and professional malware attack" that left customers scrambling to place orders and taking to Twitter to express disbelief that the website, email and landline were offline.

The company says it took its public websites and email offline after being hit with malware during the July Fourth holiday weekend to probe the incident and assess the integrity of those systems (see: Accenture: Ransomware Attack Breached Proprietary Data).

SHI is one of the 15 largest IT service providers in the world, with annual sales surging by 10% in 2021 to $12.3 billion. The firm hired 500 solution engineers in 2021 and has continued to expand internationally, opening an integration center in Singapore and preparing to launch an integration service center in the United Kingdom in spring 2022.

By Wednesday morning, SHI says, customers had full access to their account teams and specialists through either email or the phone. But the company's website remains down as of Thursday afternoon, with the SHI homepage displaying a statement about the malware attack.

"The IT teams at SHI continue to work on bringing other systems back to full availability in a secure and reliable manner," SHI writes in a blog post published Wednesday morning.

No Exfiltration of Customer Data

There is no evidence suggesting that any of SHI's 15,000 corporate, enterprise, public sector or academic customers had their data exfiltrated during the attack, according to SHI. The company says no third-party systems in its supply chain were affected. It is working with U.S. bodies such as the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency to probe the attack.

A SHI spokesperson declined to answer questions from Information Security Media Group about whether the attack involved ransomware or whether SHI paid a ransom. SHI first publicly acknowledged the malware attack in a tweet Wednesday afternoon.

"Based on the limited amount of information publicly available, it would seem as though the attack was caught quickly," Emsisoft threat analyst Brett Callow tells ISMG. "As a result, the incident was less serious than it otherwise could have been."

Caught in the Crosshairs

Despite having the resources to hire the best IT professionals and install top-notch software, IT services giants aren't impervious to the lax cyber hygiene that was often blamed for attacks on smaller MSPs. Their global customer footprint means that IT services behemoths have a much larger surface area to protect.

Vicious malware and ransomware infections have hobbled seven of the world's 50 largest global IT service providers since the start of 2020 - Accenture, Cognizant, Compucom, Conduent, DXC Technology, Tyler Technologies and now SHI.

The first victim was Teaneck, New Jersey-based Cognizant, which in April 2020 revealed it had been hit by Maze ransomware, locking up its own internal systems and hitting some of its customers. Cognizant expected it would have to spend between $50 million and $70 million on cleanup costs and also had to issue public letters to employees and customers whose personal information was taken in the attack.

Then, in June 2020, business process outsourcing superpower Conduent said its European operations had been hit with ransomware, which Emsisoft and Bad Packets said led to the leak of internal company documents on the web. Maze claimed on its data leak site in August 2020 that it had published data stolen from Florham Park, New Jersey-based Conduent, as well as copier giant Xerox and LG Electronics.

Multiple customers of systems integration behemoth DXC in July 2020 were grappling with downed systems following a ransomware attack against a subsidiary that sells insurance industry software. Tysons, Virginia-based DXC said multiple customers of its Xchanging business were hit, including Lloyd's Market Association, which provides technical support to the Lloyd's of London underwriting community.

In September 2020, Tyler Technologies was hit with ransomware in an attack that crippled its internal corporate network and phone systems and still had the company's website down two days later. The ransomware attack resulted in a $4 million reduction in sales during the second half of 2020, but the company was able to keep the malware out of its other systems.

The following March, Compucom was attacked by the DarkSide ransomware group after the hackers acquired administrative credentials for the then-Office Depot subsidiary. The company expected to spend up to $20 million on mitigation and lose up to $8 million in revenue since the ransomware attack forced Compucom to temporarily suspend certain services to certain customers during March 2021.

Finally, in August 2021, a hacker group using LockBit ransomware compromised systems integration giant Accenture and threatened to release the company's data and sell insider information. LockBit demanded $50 million in exchange for more than 6 terabytes of data and claimed it had taken advantage of credentials accessed in the cyberattack to go after Accenture's customers, which the company flatly denied.

About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.