Cyber Incident Victim: Heidelberger Druckmaschinen AG

On or around May 27, 2023, the Clop ransomware gang exploited a zero-day vulnerability in the MOVEit Transfer secure file transfer platform. The threat actors used this vulnerability to steal files stored on the servers of numerous organizations. The Clop gang subsequently took responsibility for these attacks, publicly claiming to have breached hundreds of companies. They issued a warning that the names of these victim organizations would be added to their data leak site on June 14, 2023, if negotiations did not occur. The group further stated that if extortion demands were not paid, they would begin leaking the stolen data publicly on June 21, 2023.

The extortion process began as threatened. On or around June 1, 2023, the Clop gang listed thirteen companies on their data leak site. One of these listed entities, Greenfield CA, was later removed from the site, an action that typically indicates either a mistake in the initial listing or that negotiations between the threat actors and the victim are underway. Among the organizations named on the site was the German printing company Heidelberger Druckmaschinen AG, referred to as Heidelberger Druck in the article. The listing on this site is a common tactic used by ransomware groups to pressure victims into paying a ransom by threatening to release sensitive stolen data.

In response to the listing, Heidelberger Druck provided a statement to BleepingComputer. The company confirmed that it uses the MOVEit Transfer platform, which was the initial vector for the widespread attacks. However, following an internal analysis of the incident, Heidelberger Druck stated that their investigation indicated the exploitation of the MOVEit vulnerability did not lead to any data breach from their systems. This position contrasts with the claims made by the Clop gang and the experiences of other listed victims.

Other organizations confirmed their involvement to a varying degree. The British multinational oil and gas company Shell reported that a small number of its employees and customers were impacted. Landal Greenparks disclosed that the threat actors had accessed the names and contact information of approximately 12,000 guests. The University System of Georgia and the University of Georgia stated they were still investigating the attack and would disclose any breaches if discovered. UnitedHealthcare Student Resources also reported it was investigating the matter. Putnam Investments, another entity listed on the data leak site, acknowledged it was looking into the claims.

The scope of the incident extended far beyond the initial thirteen companies named. Numerous other organizations disclosed breaches stemming from the same MOVEit vulnerability. These included Zellis, a service provider whose breach subsequently impacted its customers the BBC, Boots, and Aer Lingus; Ireland's Health Service Executive (HSE) through its association with Zellis; the University of Rochester; the government of Nova Scotia; the US states of Missouri and Illinois; BORN Ontario; Ofcam; Extreme Networks; and the American Board of Internal Medicine. The US Cybersecurity and Infrastructure Security Agency (CISA) was reported to be working with several US federal agencies that had also been breached, and two US Department of Energy entities were confirmed as compromised.

The attack methodology followed a pattern established in previous campaigns by threat actors targeting managed file transfer solutions. In similar past attacks exploiting zero-day vulnerabilities in Accellion FTA, GoAnywhere MFT, and SolarWinds Serv-U, the threat actors had demanded ransoms as high as $10 million to prevent the public leaking of stolen data. According to information obtained by BleepingComputer, the extortion operation associated with the GoAnywhere attacks was not particularly successful, with many companies choosing to publicly disclose their data breaches rather than pay the ransom. The Clop gang made a specific claim regarding government data in the MOVEit incident, telling BleepingComputer that they automatically deleted any data stolen from government entities, including military and children's hospitals. However, the article notes that once data is exfiltrated, there is no way to verify if it is actually deleted, and it should therefore be assumed to remain at risk.

The primary impact of the incident was the large-scale theft of sensitive data from a wide array of victims across multiple sectors, including education, energy, healthcare, government, and private industry. The consequences for victims included potential financial loss, regulatory scrutiny, reputational damage, and the obligation to notify affected individuals whose personal information was compromised. The response from victim organizations involved initiating internal investigations, assessing the scope of any data exposure, and preparing public disclosures as required by law. The incident highlighted the significant supply-chain risk posed by vulnerabilities in widely used enterprise software, as a single flaw in the MOVEit platform led to a cascading series of breaches affecting its numerous customers globally.