Cyber Incident Victim: Valmet

On or around the end of May 2023, the Finnish and international technology company Valmet became the target of a cyber attack. This incident was part of a wider global campaign exploiting a vulnerability in the MOVEit file transfer application. The attack was executed by the cybercrime group known as CL0P, which is also identified by the name TA505 and is widely considered to be of Russian origin. This group typically specializes in data theft for extortion purposes, threatening to publish stolen information unless a ransom is paid. Valmet discovered the intrusion a few days after it had occurred, indicating the attack was detected within a relatively short timeframe following the initial compromise.

The CL0P group publicly added Valmet to its list of victims on its dark web site in July 2023. This public listing is a common pressure tactic used by such groups, often accompanied by a countdown timer. The public announcement implies that if the ransom is not paid before the timer expires, the stolen data will be published. However, Valmet stated that the CL0P group had not been in direct contact with the company regarding any ransom demands, suggesting the public listing may have been an attempt to initiate communication or pressure the company indirectly.

In its public statements, Valmet confirmed the security breach but emphasized that the damages remained minor. The company's investigation concluded that the attackers had managed to acquire a limited set of data due to the MOVEit vulnerability. Specifically, CL0P had gained access to a number of files and emails. Valmet characterized the compromised data as old, stating it had no business significance and would not cause harm. Furthermore, Valmet confirmed that no sensitive personal information was taken during the incident, indicating that the scope of the data exfiltration was limited to non-critical, historical business documents and correspondence.

As part of its response, Valmet officially reported the incident to the relevant authorities, following standard breach notification procedures. The company's internal security team was involved in managing the incident. The national Transport and Communications Agency, Traficom, and its Cybersecurity Center are aware of the MOVEit vulnerability's exploitation within Finland, as mentioned in their May 2023 cybersecurity review. However, their June 2023 assessment noted that cases in Finland were scarce, as the MOVEit system was not known to be widely used in the country, which contextualizes the Valmet incident within the national landscape.

The primary impact on Valmet was reputational, stemming from its name appearing on a cybercriminal group's leak site. The company's firm stance that the stolen data was inconsequential and its assertion that no significant breach occurred were central to its public response. The confirmation that no extensive cyber attack took place and that operations were not disrupted suggests that the incident was contained quickly and did not escalate into a more severe event affecting industrial control systems or core business operations. The fact that no ransom was paid and that the company did not engage with the threat actors points to a strategy of not acquiescing to extortion demands. The incident serves as an example of a company being caught in a broad, automated campaign rather than being singled out for a targeted attack, with the final outcome resulting in minimal operational or financial damage.