Cyber Incident Victim: Datasite LLC

In late May 2023, the Russia-linked ransomware gang known as Clop began exploiting a critical security vulnerability in MOVEit Transfer, a popular corporate file transfer tool developed by Progress Software. The vulnerability was subsequently patched by Progress Software, but this action occurred only after a significant number of its customers had already been compromised. The mass-hacks targeted organizations globally that used the software to share large files over the internet. The full extent of the attacks was initially unknown, though researchers from American risk consulting firm Kroll reported that Clop may have been exploiting the MOVEit vulnerability as far back as 2021. Kroll's research identified activity indicating the gang had been experimenting with ways to exploit this particular vulnerability for almost two years prior to its public disclosure, illustrating a period of sophisticated planning and reconnaissance.

On June 14, 2023, Clop took the unusual step of publicly listing its first batch of victims on its dark web leak site instead of privately contacting the organizations to demand a ransom. The gang issued a blackmail message on the site instructing victims to contact them prior to a specified deadline. The initial list of named organizations included several U.S.-based financial services organizations such as 1st Source and First National Bankers Bank. Other financial sector victims included Boston-based investment management firm Putnam Investments and financial software provider Datasite. Educational institutions were also heavily targeted, with the University System of Georgia (USG) and the educational non-profit National Student Clearinghouse appearing on the list. The list further included international companies like the Netherlands-based Landal Greenparks, the U.K.-based energy giant Shell, and Swiss insurance company ÖKK. GreenShield Canada, a non-profit benefits carrier, was initially listed but was later removed from the leak site. Other named victims included student health insurance provider United Healthcare Student Resources and American manufacturer Leggett & Platt.

The public listing of victims prompted a range of responses from the affected organizations. A spokesperson for the University System of Georgia stated that the university was evaluating the scope and severity of the potential data exposure and confirmed that notifications would be issued to any affected individuals if necessary, consistent with federal and state law. Heidelberg, a German mechanical engineering company also listed, provided a statement through its spokesperson Florian Pitzinger. The company acknowledged its mention on Clop's website and confirmed the incident was connected to a supplier software. Heidelberg stated the incident occurred a few weeks prior, was countered fast and effectively, and that based on their analysis, it did not lead to any data breach. Many other listed victims did not initially respond to requests for comment.

Prior to Clop's public listing, multiple organizations had already come forward to disclose they were compromised as a result of the attacks. These early disclosures were often linked to compromises at third-party service providers. HR and payroll software supplier Zellis confirmed its MOVEit system was compromised, which subsequently affected its customers including the BBC, Aer Lingus, and British Airways. The Government of Nova Scotia, which used MOVEit to share files across departments, confirmed it was affected and stated that some citizens’ personal information may have been compromised. In a message on its leak site, Clop made an exception for certain government entities, claiming, “if you are a government, city or police service… we erased all your data.”

Following the public listing of the first victims, new organizations continued to come forward and confirm their involvement in the incident. Johns Hopkins University confirmed a cybersecurity incident believed to be related to the MOVEit mass-hack. The university stated the data breach may have impacted sensitive personal and financial information, including names, contact information, and health billing records. Ofcom, the U.K.’s communications regulator, confirmed that hackers accessed some confidential information, including data about the companies it regulates and the personal information of 412 Ofcom employees. According to BBC News, Transport for London (TfL), the government body responsible for running London’s transport services, and global consultancy firm Ernst and Young were also impacted. Neither organization responded to requests for confirmation.

At the time of the initial reporting, no stolen data had been published by Clop. However, the gang claimed on its leak site to have downloaded “alot [sic] of your data” from the victim organizations. The gang's typical modus operandi involves demanding a ransom payment to decrypt files it has encrypted or to delete files it has stolen. In this incident, the public listing served as the primary means of applying pressure for payment. Researchers noted that thousands of MOVEit servers, most located in the United States, remained discoverable on the internet, suggesting that many more victims were expected to be revealed in the coming days and weeks. This incident was not Clop's first mass-attack; the gang was also responsible for previous campaigns exploiting flaws in Fortra’s GoAnywhere file transfer tool and Accellion’s file transfer application. The MOVEit attack represented a continued pattern of targeting widely used enterprise file transfer solutions to gain access to the data of a large number of organizations simultaneously.