Clop cyber gang claims MOVEit attack and starts harassing victims

The Clop cyber extortion and ransomware operation is demanding organisations pay a ransom to avoid data stolen via an exploited vulnerability in a file transfer product being leaked

The Clop (aka Cl0p) cyber extortion gang has confirmed it is behind a series of major security breaches at organisations compromised via a SQL injection vulnerability in Progress Software’s MOVEit file transfer product, and is threatening to start publishing the data it has stolen in seven days’ time.

Among the organisations blackmailed by the Russia-based cyber criminals are the BBC, Boots and British Airways (BA), all of which appear to have been victimised through MOVEit user Zellis, a supplier of payroll and human resources software and services. The data of more than100,000 individual employees across all three organisations is thought to have been stolen.

Other known victims compromised via Zellis include the University of Rochester in the state of New York, and the provincial government of Nova Scotia in Canada.

In a statement posted to its dark web leak site, which has been reviewed by Computer Weekly, Clop’s operatives – who continue to labour under the delusion that they are providing penetration testing services – stated that the gang had stolen data from hundreds of companies.

“This is announcement to educate companies who use Progress MOVEit product that chance is that we download a lot of your data as part of exceptional exploit. We are the only one who perform such attack and relax because your data is safe,” the operative wrote.

The Clop gang is giving victims until Wednesday 14 June to contact them or else it will post their details and data on its leak site. As has become standard practice in cyber ransom negotiations, it is offering victims the chance to review a small selection of the purloined material as proof of its intentions.

The operative added that it had erased all data obtained from governments, city authorities and law enforcement, implying that some such organisations were compromised.

A BBC spokesperson said: “We are aware of a data breach at our third-party supplier, Zellis, and are working closely with them as they urgently investigate the extent of the breach. We take data security extremely seriously and are following the established reporting procedures.”

Computer Weekly contacted BA and Boots in relation to the latest developments, but neither organisation had responded at the time of publication.

Next steps for MOVEit users

Jim Tiller, CISO at Nash Squared, a global technology and talent provider, said that any organisation that has used MOVEit must now assume that their data, or the data of their customers, is now in Clop’s hands.

“These organisations need to urgently review and categorise all their information assets that are likely to have been stolen to understand what represents the greatest threat to extortion and prioritise accordingly,” said Tiller.

“From there it’s about assessing the risks associated with the exposure of the information, not only to the company but its clients, partners, affiliates and with those where information was exchanged. Without these critical steps responding to ransom demands and determining a course of action will be reactive and ineffective.”

Tiller additionally explained that organisations would need to come to terms with the fact that multiple organisations might be exploited for the same data, so even if one victim pays up, their information may still be leaked if another party resists Clop’s demands.

He said that unfortunately, this was one of the inherent risks of a multi-tenant cloud environment, and it may also mean that payments would not be covered by cyber insurance policies.

“Many insurers will have clauses that are very similar to acts of God or mass events that exclude such attacks from coverage. Therefore, if companies haven’t already reviewed their policy with their provider, they need to as soon as possible,” said Tiller.

Jake Moore, global cyber security advisor at ESET, added: “Although it is never advised to pay ransom demands to cyber criminals, there is an inevitable risk that some of the targeted companies will succumb to the pressure. This will only fuel the fire and continue the cycle of this devastating criminal group.

“It is more important that the companies affected are open and honest with their employees and customers offering support in how to protect themselves and how to spot follow up phishing and smishing attacks.”

Ransoms without ransomware

As previously reported, the nature of the MOVEit vulnerability that Clop exploited – CVE-2023-34362 – is unlikely to provide sufficient access to deploy an actual ransomware locker, and there is no evidence that any of the known victims have had their systems encrypted.

This makes the incident a case of straight-up data theft and extortion, something that is becoming increasingly commonplace, and a tactic favoured by Clop during its previous crime sprees.

Moore said that the approach adopted by Clop this time around further deviated from the norm because more typically it would send its victims ransom demands with a predetermined amount chosen by them. This has not happened in this instance.

“This decision is likely to stem from the overwhelming magnitude of the ongoing hack which is still affecting large numbers of systems worldwide and potentially overpowering the capabilities of Clop itself,” he said.

Read more about the MOVEit incident

Read more on Data breach incident management and recovery