Cyber Incident Victim: Barrick Gold Corp.

Barrick Gold Corp., a Toronto-based multinational gold and copper mining company, was publicly listed as a victim of a cyber incident by the Clop/Cl0p ransomware and data theft gang on or around May 31, 2023. The incident was part of a broader mass-exploitation campaign targeting a zero-day vulnerability in Progress Software’s MOVEit managed file transfer application. The attack was identified and disclosed by Brett Callow, a Canadian-based threat researcher for cybersecurity firm Emsisoft, who reported the listing via a public tweet. The Clop gang added Barrick Gold to its leak site, a platform used to publicly name victims and threaten the release of stolen data to coerce ransom payments. At the time of the public disclosure, Barrick Gold’s CEO and press spokesperson had not responded to requests for comment from the media, and no official statement from the company was immediately available.

The attack against Barrick Gold was not an isolated event but one of many within a widespread campaign. On the same day Barrick was listed, the Clop gang also added two other organizations as victims: the Texas Dow Employees Credit Union and the Texas-based United Regional Health Care System. According to Callow's tracking, these additions brought the total number of publicly-reported victim organizations to 193. The exact mechanism of the attack involved the exploitation of a critical vulnerability in the MOVEit platform, which attackers used to gain unauthorized access to corporate networks and exfiltrate data. It was not publicly known whether Barrick Gold Corp. operated its own instance of MOVEit or if its data was compromised through a third-party service provider that used the software. The specific volume of data stolen from Barrick or the precise nature of the compromised information was not detailed in the public listing by the threat actors or by the researcher who reported it.

The broader incident impacting numerous organizations stemmed from a vulnerability within Progress Software’s MOVEit Transfer and MOVEit Cloud products. Progress Software publicly disclosed the vulnerability and released patches on May 31, 2023, coinciding with the wave of victim announcements. In response to customer demand for a more predictable update schedule, the company also announced it had formalized a regular Service Pack program for all MOVEit products, with an expectation to release a new Service Pack approximately every two months moving forward. The first such Service Pack was made available on that date, which included product and security fixes for supported versions of MOVEit Transfer. This update had also been applied to MOVEit Cloud, while MOVEit Automation was scheduled to be included in future releases. The Service Pack included improvements to the MOVEit Transfer database, optimization of the installer, and fixes for three new Common Vulnerabilities and Exposures (CVEs) that had been identified.

The impact of the widespread MOVEit campaign was severe and affected a wide range of companies and public sector entities across North America. Other confirmed victims included the Metro Vancouver Transit Police department, which reported that 186 of its files were copied, though it described this as a "limited number" and did not disclose the contents. The Oregon Department of Transportation disclosed that data on 3.5 million state residents was copied and advised all individuals with active Oregon ID or driver’s licences to assume their related information was involved. The Louisiana Office of Motor Vehicles reported that all residents with a state-issued driver’s licence, ID, or car registration had personal data copied, including names, addresses, and Social Security numbers. The New York City public school system also confirmed that personal data of more than 45,000 students and staff were exfiltrated. The commonality among all victims was their use, either directly or through a service provider, of the vulnerable MOVEit file transfer platform.

For Barrick Gold specifically, the immediate consequences of being named on the Clop leak site included reputational damage and potential financial risk. As one of the world's largest gold producers, with net earnings of US$432 million on US$5.6 billion in sales in its last fiscal year and operations spanning 15 gold and three copper mines across 12 countries, the company represents a significant strategic target. The public listing by a known ransomware group indicated that corporate data had been successfully exfiltrated, creating the risk of it being sold or leaked publicly. A primary tactic of the Clop group is to extort victims by threatening to release sensitive data, and it was not publicly known whether Barrick Gold received a ransom demand or if any payment was made to prevent the data's release. The lack of an immediate public statement from the company suggested its incident response process was ongoing internally at the time of the initial media report.

The response actions taken by Barrick Gold were not detailed in the available public reporting. The company's communications team did not provide a comment by the press time of the initial article. In contrast, the vendor of the affected software, Progress Software, undertook significant response actions. Its primary action was the development and rapid deployment of security patches to address the vulnerability being exploited. The company also committed to a new, more structured update schedule to provide customers with greater predictability for applying future security fixes. This formalized Service Pack program was a direct response to customer demand following the crisis and was intended to improve the security posture of the product moving forward. The widespread exploitation underscored the significant risk posed by vulnerabilities in widely-used third-party software and the extensive supply chain attack surface it can create. The incident involving Barrick Gold Corp. exemplifies how large corporations across various sectors, including critical resources like mining, can become collateral damage in large-scale attacks targeting a single software product. The full scope of the impact on Barrick, including any potential operational disruption or financial loss, remains undisclosed in the public domain.