Introduction

Managed Service Providers (MSPs) sit at the very heart of modern IT ecosystems. They manage infrastructure, security, and operations for thousands of organisations, often with privileged access (elevated permissions and authority which could allow them to carry out high-impact actions) across multiple environments. They have become an indispensable tool to many in the IT space, but this also makes them dangerous. Over the past years MSPs have shifted from being targets themselves to being used as entry points to multiple other victims - entry points that, due to the nature of privileged access, can lead to significant impact.

This shift represents an evolution in the nature of cyber attacks. Whilst many are still very much directed at single, specific entities, a larger amount are now targeting shared services to exploit their interconnected nature. In fact, for BreachSense, 30% of all attacks now involve third parties. In the past years high-profile incidents such as the Kaseya shutdown show the startling nature in which bad actors are able to exploit these systems; the attack surface is no longer limited to one victim but instead runs deep, leveraging the interconnected nature of MSPs.

Why MSPs Are Attractive Targets

MSPs are attractive targets because they offer a combination of trust, access and scale.

Broadly speaking, MSPs will operate within a trusted relationship with the environments they service. This means that the actions they carry out (such as rolling out software updates or changing configurations) are usually allowed to happen with much less scrutiny or interference than those of other external actors due to a pre-existing assumption of legitimacy.

Additionally, MSPs often use one, or a small number of, centralised tools to provide their services to their customer base. This centralised access point results in bad actors only needing to carry out an attack on a single point to gain access to multiple victims through one pipeline (rather than carrying out multiple individualised attacks).

Finally, MSPs often service tens, hundreds or even thousands of clients. As a result, the scale of a successful attack can be orders of magnitude greater than the traditional one-to-one scale of attacker to victim.

Taken together, this combination of trust, centralised access, and scale creates a powerful “triple threat”, making MSPs highly attractive targets for threat actors. In recent years, several high-profile incidents (particularly involving ransomware groups) have demonstrated how compromising an MSP can serve as an efficient entry point into dozens or even hundreds of organisations simultaneously.

Significant Events - MSPs and beyond

Kaseya VSA

In 2021, the information security world witnessed a defining example of ransomware crews targeting MSPs, and the resulting ripple effect across connected organisations.

In July 2021, the REvil ransomware group (also known as Sodinokibi) exploited a zero-day vulnerability (a flaw not known to the vendor and therefore unpatched) in Kaseya’s Virtual System Administrator (VSA) tool. This platform was widely used by MSPs to manage client environments and, among other functions, to deploy software updates and perform remote administration.

REvil leveraged this access to distribute malicious code via the platform’s trusted update mechanism, ultimately compromising around 50–60 MSPs. In turn, these MSPs enabled the infection of over 1,000 organisations across multiple countries. This incident clearly demonstrated how ransomware could be propagated across a vast attack surface via a single, well-targeted intrusion.

The impact of the attack was significant and triggered a swift and coordinated international response. In October 2021 (three months after the Kaseya incident, and five months after the high-profile Colonial Pipeline attack) it was reported that a multinational law enforcement effort had disrupted REvil’s infrastructure and operations. Although the group resurfaced briefly in 2022, the takedown marked a major moment in the international response to ransomware-as-a-service operations.

Akira

More recent ransomware activity demonstrates that this model has not only persisted but matured. Since emerging in March 2023, the Akira ransomware group has targeted managed service providers and IT service organisations as part of a broader effort to maximise the scale and impact of their attacks. Threat intelligence and industry analysis indicates that Akira operators have targeted MSPs including organisations such as Hitachi Vantara and Toppan Next Tech, recognising that compromising a single provider can enable access to multiple downstream client environments. 

In contrast to earlier high-profile attacks that relied on software exploitation, Akira now frequently gains initial access through stolen or reused administrative credentials and vulnerable VPN infrastructure. This allows attackers to operate within trusted environments using legitimate access, often moving across interconnected systems before deploying their ransomware. The targeting of MSPs in this way reflects a broader shift in attacker strategy: rather than breaching organisations individually, ransomware groups are increasingly exploiting centralised service providers to amplify reach, efficiency, and financial return.

MOVEit

Taken together, these examples demonstrate a clear pattern: attackers increasingly focus on compromising centralised points of trust to maximise the scale and efficiency of their operations. While MSPs are a natural target due to their privileged access to multiple client environments, any shared platform or service that sits between organisations and their data can serve a similar role.

This approach has been increasingly applied to widely deployed software and data transfer platforms. The exploitation of MOVEit in 2023 provides a clear example. In late May 2023, the Cl0p ransomware group exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer platform, a widely used managed file transfer solution for exchanging sensitive data.

By targeting this single vulnerability, attackers were able to exfiltrate massive amounts of data without needing to compromise each victim individually. Thousands of organisations were affected globally, including high-profile entities such as the BBC, British Airways, Boots, and multiple government agencies.

Crucially, many organisations were impacted indirectly via third-party providers that relied on MOVEit, creating a cascading effect across supply chains. This demonstrates that the same principles underpinning MSP attacks (trust, centralisation, and scale) apply equally to widely deployed software platforms, where a single compromise can expose large numbers of downstream organisations.

Snowflake

The 2024 Snowflake incident represents a further evolution of this model, shifting the attack surface from software to identity. Rather than exploiting a vulnerability, attackers accessed customer environments using stolen credentials (often obtained from infostealer malware) which allowed them to log in legitimately, thus circumventing security controls that might be triggered by attempts to break through. 

From this position, they were able to exfiltrate large volumes of sensitive data from multiple organisations, including high-profile victims such as Ticketmaster and Santander.

Unlike earlier examples, Snowflake itself was not directly breached; instead, attackers exploited weak identity controls across its customer base. This highlights a critical shift: the same principles of trust and centralisation now extend to identity, where a single compromised account can provide access to vast amounts of data across multiple organisations.

Rounding Up

When looked at holistically, these incidents show fundamental shift in how cyber attacks are designed and executed. From Kaseya’s exploitation of MSP infrastructure to MOVEit’s compromise of widely trusted software, and Snowflake’s abuse of identity itself, attackers have consistently moved towards targeting centralised points of trust that sit between organisations and their data. In each case, the objective is the same: maximise reach, efficiency, and impact by compromising a single point that connects to many. 

This evolution reflects a broader reality of modern enterprise environments. As organisations increasingly rely on shared platforms, service providers, and identity-based access models, the attack surface is no longer defined by individual systems, but by the relationships and dependencies between them. As a result, the most effective attacks are no longer those that penetrate a single perimeter, but those that exploit the trust embedded within interconnected ecosystems. Organisations must therefore shift their defensive focus accordingly: away from isolated controls and towards securing the shared layers of trust that underpin their operations.

WhiteBlueOcean frequently observes data sourced from infostealer malware being widely shared across criminal forums, with some vendors offering so-called “cloud log” access for a fee, providing continuous access to compromised credentials and session data. This data often includes active session tokens, allowing attackers to bypass traditional authentication controls and further obscure their entry points.

The barrier to entry for threat actors is steadily decreasing, while organisations must contend with an increasingly complex and persistent threat landscape. In the aftermath of incidents such as those described above, we have observed significant volumes of stolen data being distributed when ransoms are not paid, alongside a continuous flow of newly compromised information. This highlights the ongoing and systemic nature of the challenge, where defensive efforts must adapt to a constantly evolving attack ecosystem.

References:
https://en.wikipedia.org/wiki/Kaseya_VSA_ransomware_attack
https://www.breachsense.com/blog/supply-chain-attack-examples/
https://www.attackiq.com/2021/07/13/the-kaseya-vsa-revil-ransomware-supply-chain-attack-how-it-happened-how-it-could-have-been-avoided/
https://cybernews.com/security/kaseya-ransomware-attack-heres-what-you-need-to-know/
https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/
https://www.darkreading.com/threat-intelligence/revil-revival-ransomware-gangs-gone
https://infosectoday.com/ransomware-operations/akira-and-lynx-ransomware-are-targeting-managed-service-providers-msps-by-exploiting-stolen-login-credentials-and-existing-vulnerabilities/
https://www.veeam.com/blog/akira-ransomware.html
https://www.acronis.com/en/tru/posts/msps-a-top-target-for-akira-and-lynx-ransomware/
https://konbriefing.com/en-topics/cyber-attacks-moveit-victim-list.html
https://www.cybersecuritydive.com/news/moveit-breach-timeline/687417/
https://www.lepide.com/blog/the-moveit-attack-explained/
https://www.ncsc.gov.uk/information/moveit-vulnerability
https://thecyberexpress.com/snowflake-breach-victims-165-organizations/
https://en.wikipedia.org/wiki/Snowflake_data_breach
https://cloudsecurityalliance.org/blog/2025/05/07/unpacking-the-2024-snowflake-data-breach

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.