IKEA hit by ongoing email cyber attack campaign

Evidence suggests that IKEA’s on-premises Microsoft Exchange servers may have been compromised by threat actors.

Furniture giant IKEA confirmed that it was hit by a wave of email reply-chain cyberattacks that targeted the company’s internal mailboxes, as well as those of IKEA’s suppliers and business partners, BleepingComputer reports.

Attackers carry out reply-chain attacks by gaining access to genuine corporate emails via hacked employee email accounts or breached internal servers, and then replying to them with malicious attachments or links. Threat actors tend to craft such malicious phishing emails to look like they come from trusted colleagues, which greatly increases their chance of successfully infecting an employee’s device.

Internal IKEA emails seen by BleepingComputer confirm that was aware of the ongoing reply-chain campaign and warned its employees about the cyberattack.

“There is an ongoing cyberattack that is targeting Inter Ikea mailboxes,” IKEA said in the email sent to staff. “Other IKEA organizations, suppliers, and business partners are compromised by the same attack and are further spreading malicious emails to persons in Inter IKEA. This means that the attack can come via email from someone that you work with, from any external organization, and as reply to an already ongoing conversation. It is therefore difficult to detect, for which we ask you to be extra cautious.”

Possible similarities with MS Exchange server attack

According to BleepingComputer, the reply-chain campaign carried out against IKEA shares certain similarities with the infamous Microsoft Exchange server attack earlier this year, which affected at least 30,000 organizations in the US alone.

“While IKEA has not responded to our emails about the attack and has not disclosed to employees whether internal servers were compromised, it appears that they are suffering from a similar attack,” states the BleepingComputer report.

The report notes that other reply-chain attacks have been observed installing the Qbot trojan “and possibly Emotet” on the compromised devices, which could lead to further openings in an organization’s networks that could result in ransomware deployments.

While IKEA confirmed that an investigation into the cyber incident has been launched by the company, the full scope of the breach is not yet known.