Cyber Incident Victim: First National Bankers Bankshares
Date:
May 2023
Location:
United States of America
Summary
First National Bankers Bank was compromised as part of a mass-exploitation campaign targeting a vulnerability in the MOVEit Transfer file-sharing application. The Russia-linked Clop ransomware gang claimed responsibility for the attack, listing the bank among its victims on its dark web leak site. The gang stated it had exfiltrated a significant amount of data and attempted to extort the organization, though no specific stolen data from this victim was confirmed as published.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around May 1, 2023, the ransomware gang known as Clop began exploiting a critical security vulnerability in the MOVEit Transfer application, a popular corporate file transfer tool developed by Progress Software. This mass-hacking campaign targeted numerous organizations globally that used the software to share large files over the internet. First National Bankers Bank, a U.S.-based financial services organization, was among the victims compromised during this exploitation. Progress Software patched the vulnerability after it was discovered, but the remediation occurred after the hackers had already compromised a number of its customers, including the bank.
The incident remained undisclosed publicly until June 15, 2023, when the Clop ransomware gang listed its first batch of victims on its dark web leak site. First National Bankers Bank was named explicitly in this listing alongside other U.S. financial institutions like 1st Source Bank. The gang did not follow its typical ransomware procedure of directly contacting victims to demand a payment. Instead, it posted a blackmail message on its site instructing all listed organizations to contact the gang prior to a June 14 deadline. Clop claimed on the site to have downloaded "alot [sic] of your data" from the bank, though no specific data from First National Bankers Bank was published at the time the article was written.
The full scope of the data breach at First National Bankers Bank was not detailed in the public reporting. The bank did not provide a public statement or respond to media inquiries regarding the incident, so the specific nature of the compromised data, the number of affected individuals, or the operational impact on the bank remains unconfirmed. The attack was part of a much broader campaign that impacted a wide range of sectors, including other financial firms, universities, government entities, and energy companies. The gang's message indicated a specific policy regarding certain victims, stating, “if you are a government, city or police service… we erased all your data,” but no such exception was mentioned for financial sector victims like First National Bankers Bank.
The attack vector was the exploitation of a zero-day vulnerability within the MOVEit Transfer software. Research from American risk consulting firm Kroll indicated that Clop may have been experimenting with ways to exploit this particular vulnerability for almost two years, dating back to 2021, long before it was publicly disclosed and patched in May 2023. This finding suggested a high degree of sophisticated knowledge and planning behind the mass exploitation event. Clop was also responsible for previous mass-attacks that exploited flaws in other file transfer tools, including Fortra’s GoAnywhere and Accellion’s file transfer application, establishing a pattern of targeting these types of systems.
The response from other listed victims varied. Some organizations, like the University System of Georgia, acknowledged they were evaluating the potential data exposure and stated that notifications would be issued to affected individuals if necessary, in compliance with federal and state law. Other entities, such as the German company Heidelberg, stated that the incident was connected to a supplier software and claimed they countered the attack fast and effectively, with their analysis concluding it did not lead to any data breach. The lack of public response from First National Bankers Bank means its specific containment and response actions are not a matter of public record from the available sources.
The consequences of the mass-hack were widespread, with new victims continuing to come forward after the initial listing. Organizations like Johns Hopkins University confirmed the incident may have impacted sensitive personal and financial information, including names, contact information, and health billing records. The U.K. communications regulator, Ofcom, confirmed that hackers accessed confidential information about the companies it regulates and the personal information of 412 of its employees. The full extent of the attacks remained unknown, but researchers noted that thousands of MOVEit servers, most located in the United States, were still discoverable on the internet, suggesting the potential for further compromises. The listing of First National Bankers Bank on the Clop leak site represents a confirmed compromise of its systems, placing it among the many organizations affected by this significant cybersecurity incident.