Cyber Incident Victim: Landal Greenparks

On or around May 27, 2023, the Clop ransomware gang exploited a zero-day vulnerability in the MOVEit Transfer secure file transfer platform. This global attack campaign targeted hundreds of companies that utilized this software, including the vacation park operator Landal Greenparks. The threat actors used this vulnerability to gain unauthorized access to servers running the MOVEit application, specifically to steal files stored on those servers. The Clop gang subsequently claimed responsibility for these attacks, publicly stating they had breached hundreds of companies and setting deadlines for extortion.

Landal Greenparks was identified as one of the victims in this widespread incident. The company confirmed that, like many other organizations globally, it used the MOVEit software. The threat actors successfully breached Landal's systems and gained access to guest data. The specific technical details of the initial intrusion and the exact vulnerability leveraged were consistent with the MOVEit zero-day exploit publicized in relation to the Clop campaign. The company's investigation determined that the attackers had access to data, though the full extent of what was taken was initially unclear.

In response to the breach, Landal Greenparks took immediate containment actions. The company disabled the affected server to prevent any further unauthorized access. This server was then completely rebuilt from scratch to ensure that the threat actors' access was permanently eradicated and the system was secure. This technical response was aimed at securing the environment and preventing any additional data exfiltration or system compromise. The company also initiated an internal investigation to determine the scope and impact of the incident.

By May 31, 2023, Landal Greenparks began notifying potentially affected parties and regulators. The company publicly announced it was informing guests about a potential data leak. It also reported the incident to the Autoriteit Persoonsgegevens, the Dutch data protection authority, in compliance with regulatory obligations. In these initial communications, Landal stated that while it knew hackers had been inside their system and had access to guest information, it did not know for certain if the attackers had actually exfiltrated or misused the data. The company opted to inform people out of an abundance of caution.

The Clop ransomware gang began its extortion process against victims of the MOVEit campaign on or around June 1, 2023. The gang listed company names on its dark web data leak site, a tactic used to pressure victims into paying a ransom. Landal Greenparks was among the first thirteen companies listed on this site. The listing served as a public confirmation that the threat actors considered Landal a victim of their MOVEit exploitation campaign and possessed data from the company.

Landal Greenparks confirmed to media outlets that it was a victim of the MOVEit attacks. The company provided a specific impact assessment, stating that the personal data potentially leaked contained no passwords, financial information, or details about future reservations. The compromised data was limited to the names and contact information of approximately 12,000 guests. This defined the scope of the personal data breach for Landal, distinguishing it from more severe breaches that might include sensitive financial or credential information.

By June 15, 2023, the extortion timeline set by the Clop gang was advancing. The group had warned that if negotiations did not occur, company names would be listed on June 14. Furthermore, they threatened to begin leaking the stolen data publicly on June 21 if extortion demands were not met. The public listing of Landal Greenparks on the leak site indicated that the company was subject to these threats and part of the broader Clop extortion operation targeting MOVEit victims.

An update from Landal Greenparks on June 30, 2023, provided final confirmation of the data exfiltration. The company stated that it had since become known that the hackers had indeed taken data. This confirmation validated the company's initial decision to promptly inform all involved parties, allowing them to take steps to mitigate the potential consequences of the data being misused. The company noted that given the scale of the global MOVEit hack, it expected many other companies to have reported or to report similar incidents.

The impact of the incident on Landal Greenparks was confined to a data privacy breach affecting a subset of its guests. The operational impact involved the temporary disruption required to take the compromised server offline and rebuild it. The reputational impact involved being named publicly as a victim on a ransomware gang's leak site and having to disclose a security incident to its customers and regulators. The financial impact, including whether any ransom was demanded or paid, was not disclosed by the company.

The incident was part of a much larger pattern of attacks. Numerous other organizations across the world, including Shell, various universities, and government agencies, were also compromised through the same MOVEit vulnerability and subsequently extorted by the same threat actors. The attack methodology followed a pattern established in previous campaigns against other managed file transfer solutions like Accellion FTA and GoAnywhere MFT, where the group exploited zero-day vulnerabilities to steal data for extortion purposes. The Clop gang claimed to automatically delete data stolen from government entities, but no such claim was made regarding commercial companies like Landal Greenparks, and the permanent deletion of any stolen data could not be independently verified.