Cyber Threat Actor: Clop
| Actor Type | Location | Known Incidents |
Crime Syndicate
|
Russia
|
8 incidents |
|---|
Profile
TA505, also known as Lace Tempest, FIN11 and Clop, is a Russia‑linked cybercrime group that has been observed conducting financially motivated operations since at least 2019. The group operates under multiple aliases and is frequently described in open sources as a Russian‑speaking ransomware syndicate. Public reporting consistently notes that the actors claim to be purely financially driven and state they have no interest in political objectives. Their activity has been observed across a wide range of industries and geographic regions, with a notable concentration of victims in North America and Europe.
The group’s typical tactics involve exploiting zero‑day vulnerabilities in managed file transfer software, most prominently the CVE‑2023‑34362 flaw in Progress Software’s MOVEit Transfer product, which allowed them to exfiltrate data from hundreds of organizations. They have also been linked to the exploitation of vulnerabilities in PaperCut print management software and Fortra’s GoAnywhere file transfer system to deploy their Clop ransomware payload. The Clop ransomware family is used in a double‑extortion model where data is stolen and threatened for release unless a ransom is paid, and the actors maintain a data leak site to name victims who refuse to negotiate. In addition to ransomware deployment, the group has been described as operating under a ransomware‑as‑a‑service model, renting the malware to affiliates for a share of the proceeds.
Representative campaigns attributed to TA505 include the widespread MOVEit exploitation effort that began in May 2023 and affected over 130 organizations, ranging from law firms such as Kirkland & Ellis and K&L Gates to universities including UCLA and the University of Phoenix, healthcare entities like the U.S. Department of Health and Human Services and Nova Scotia Health, energy companies such as Siemens Energy and Schneider Electric, and numerous government agencies including the U.S. Departments of Energy and Agriculture and the Office of Personnel Management. Earlier activity includes the 2021 ransomware attack on Swire Pacific Offshore that compromised employee passport and payroll data, and the 2021 breach of the UK‑based IT firm Dacoll that exposed police national computer records. These incidents illustrate the group’s reliance on software supply chain weaknesses and its focus on monetizing stolen data through extortion.
