Swedish supermarket chain Coop responds to cyberattack

Coop, one of Sweden's largest supermarket chains, said it is dealing with a cyberattack affecting stores in the county of Värmland.

A ransomware gang named Cactus claimed it attacked the company on December 29 and in a statement to Recorded Future News, a spokesperson explained that Coop Värmland was the target of the attack.

Coop runs consumer cooperative-owned grocery stores throughout Sweden, and Coop Värmland is collectively owned by that county’s nearly 300,000 residents. The Värmland branch runs 44 supermarkets and 17 other smaller grocery stores.

“We can confirm that Coop Värmland has experienced a cyberattack. Upon detection, external expertise was engaged, and they promptly initiated intensive efforts, primarily focused on closing the vulnerabilities where intrusions occurred,” the spokesperson said.

“The current assessment indicates that these vulnerabilities have been successfully addressed. The work has been ongoing since the occurrence and has persisted throughout the Christmas holiday.”

Local news outlets said the attack began on December 22, when all of the Coop Värmland outlets could not take card payments.

The Coop Värmland website still has a temporary page confirming that they are dealing with a cyberattack but noting that their stores are still open.

The company urged customers to contact their nearest store through Facebook if they have questions. The page provides other ways customers can contact them for specific orders or questions about changes to the rewards program.

This is not Coop’s first run-in with ransomware. In 2021, it was affected by the large ransomware attack on Kaseya, a provider of remote management app solutions.

As a result of that attack, Coop was forced to shut down nearly 800 stores across the country.

The Cactus ransomware gang did not say how much data was stolen or how large of a ransom was being demanded.

The gang previously gained notoriety for its attack on Americold, the world’s largest publicly traded real estate investment trust focused on temperature-controlled warehouses.

Cybersecurity researchers previously told BleepingComputer that Cactus emerged in March and focused on exploiting vulnerabilities in virtual private network appliances to gain initial access to the networks of large companies.

Incident response firm Dragos also said it is increasingly seeing Cactus ransomware used in attacks on industrial organizations, impacting industrial control systems equipment, and the manufacturing and engineering sectors.

In December, Microsoft said that the group is using malware distributed through online advertisements to infect victims.