Cyber Threat Actor: FIN6
| Actor Type | Location | Known Incidents |
Crime Syndicate
|
—
|
0 incidents |
|---|
Profile
FIN6, also tracked as Clop (Cl0p), TA505, Lace Tempest, Dungeon Spider, and FIN11, is a financially motivated cybercriminal group known for large-scale data theft and extortion campaigns. The actor primarily targets organizations across multiple sectors, including government agencies, energy, financial services, healthcare, education, and professional services. Geographic focus spans North America (notably the U.S. and Canada), Latin America (Chile, Dominican Republic, Argentina), and Europe (UK, Germany, France), with additional impacts in Australia and Asia. Strategic objectives center on financial gain through double extortion tactics, encrypting victim data while threatening public leaks unless ransoms are paid. Clop explicitly claims to avoid political motivations, stating it deletes data stolen from government entities to evade geopolitical scrutiny.
Notable TTPs include exploitation of zero-day vulnerabilities in managed file transfer (MFT) software, particularly Progress Software’s MOVEit Transfer (CVE-2023-34362, CVE-2023-35036, CVE-2023-35708), with additional campaigns leveraging flaws in Fortra GoAnywhere and Accellion FTA platforms. The group uses SQL injection attacks to infiltrate file transfer systems, exfiltrate sensitive data, and deploy ransomware payloads including RedAlert (N13V), Quantum, and Play. Clop operates a Tor-based leak site to pressure victims, selectively publishing victim names and stolen data during negotiations. The 2023 MOVEit campaign impacted over 500 organizations and 36 million individuals, including U.S. federal agencies (Energy, Agriculture, HHS), Shell, Siemens Energy, Schneider Electric, Johns Hopkins, and multiple universities. Earlier operations include the 2025 ransomware attacks against Latin American government agencies using RedAlert and Quantum, and the 2023 GoAnywhere breaches affecting healthcare and financial entities. Public reporting attributes Clop to Russian-speaking criminal actors based on linguistic patterns in communications and infrastructure analysis, though no formal state affiliation is declared.
