Cyber Incident Victim: Royal Dutch Shell
Date:
Mar 2021
Location:
United States of America
Summary
A multinational energy corporation experienced a data breach when attackers exploited vulnerabilities in a third-party secure file-transfer system (Accellion FTA), compromising files containing personal data and information belonging to subsidiaries and stakeholders. The incident did not impact core IT systems due to network isolation of the affected service. The company addressed vulnerabilities, initiated an investigation, and notified regulators and impacted parties. This breach was linked to a broader campaign by cybercrime groups FIN11 and Clop ransomware operators, who leveraged a zero-day flaw in Accellion's legacy software to target multiple organizations globally, resulting in significant data theft from a limited subset of victims.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In March 2021, Royal Dutch Shell plc disclosed a data breach stemming from the compromise of its Accellion File Transfer Appliance (FTA), a legacy secure file-sharing system. The incident, publicly acknowledged by Shell on March 22, 2021, occurred after attackers exploited vulnerabilities in the third-party FTA software, which Shell used to transfer large data files. Upon discovering the breach, Shell immediately engaged its cybersecurity team and service provider to address the vulnerabilities and initiated an investigation to determine the incident's scope. The company confirmed the attack was isolated to the Accellion FTA system and did not impact its core IT infrastructure due to network segmentation. Shell notified relevant data authorities and regulators after determining that unauthorized parties had accessed files containing personal data belonging to stakeholders and information from Shell subsidiaries. The organization directly contacted affected individuals and stakeholders to mitigate potential risks but did not disclose the exact number of impacted parties or specific data types exfiltrated.
The breach was part of a broader campaign targeting Accellion FTA users, attributed by cybersecurity firms Accellion and Mandiant to the FIN11 cybercrime group and Clop ransomware gang. Attackers leveraged a zero-day vulnerability in the 20-year-old FTA software, first disclosed in mid-December 2020, to infiltrate multiple organizations. Accellion reported that fewer than 100 of its approximately 300 FTA customers were compromised, with under 25 experiencing significant data theft. Other affected entities included Qualys, Kroger, the Reserve Bank of New Zealand, and governmental agencies across multiple countries. In response to the widespread attacks, Five Eyes intelligence alliance members issued a joint advisory warning organizations about ongoing exploitation attempts against unpatched FTA systems. Shell emphasized its commitment to improving information risk management practices and continuous security monitoring while acknowledging the breach caused concern and inconvenience to affected parties.