Cyber Incident Victim: Crowe LLP

Crowe LLP, a Chicago-based accounting, tax advisory, consulting, and technology firm, was confirmed to be impacted by a cyber incident involving the MOVEit file transfer software on or around May 31, 2023. The company was listed on the dark web leak site operated by the Cl0p ransomware gang earlier that week, identifying it as a victim. The incident was part of a broader, global attack campaign where the Russian-affiliated Cl0p group exploited a zero-day vulnerability in the MOVEit Transfer application, which is developed and distributed by the American software company Progress.

Upon learning of the vulnerability, Crowe LLP took immediate action. The company's security department responded swiftly by disabling access to the affected MOVEit system. They applied the critical security patches and a subsequent service pack that were provided by Progress, the software vendor. These patches were released by Progress following the discovery of the breach at the end of May; a new service pack was also announced on July 5th, which included a plan for bi-monthly security updates. Crowe engaged outside experts to conduct a rigorous investigation to determine the full scope and impact of the vulnerability on their systems and client data.

The investigation concluded that the impact on Crowe's clientele was remarkably limited, a result attributed to the quick response of its security team. The number of clients whose data was compromised was fewer than one hundred. All of these impacted clients were notified by Crowe once the investigation confirmed their involvement. The MOVEit platform is used by thousands of companies worldwide for secure file transfer, and the incident had a much more severe impact on many other organizations. Crowe's experience was an outlier in terms of the limited number of clients affected.

The broader MOVEit attack campaign impacted a wide array of global organizations. Major financial institutions were affected, including ING Bank, Deutsche Bank, and Postbank. The hospitality sector was represented by Choice Hotels' Radisson Americas chain, which reported a loss of customer data. Other prominent victims included professional services firms PWC and Ernst & Young, corporations like Sony, Siemens Energy, and Shell Global, as well as government entities such as the New York City Department of Education. Shell Global was the first victim publicly named by Cl0p on their leak site on June 14th. Several US federal agencies, including the Department of Energy and the Department of Health and Human Services, were also compromised, leading US officials to issue a $10 million bounty for information on the Cl0p gang.

The Cl0p ransomware group added companies they compromised to a dark web leak site, where they listed victims and sometimes provided details on the quantity of stolen data alongside samples as proof. At the time of the reporting, approximately 150 victims were listed on this site. Security experts estimated that around 3,000 deployments of MOVEit were in use when the zero-day flaw was first exploited. The impact of the attacks was compounded because even organizations that did not use MOVEit directly could have their data exposed if a trusted third-party supplier or business partner used the compromised file transfer platform.

This incident was not the first major campaign for the Cl0p group in 2023. In March, they claimed responsibility for exploiting a similar zero-day vulnerability in the Fortra GoAnywhere file management system. That attack compromised approximately 120 companies, including Procter & Gamble, Hitachi, Rubrik, and Virgin. Experts predicted the total number of victims from the MOVEit attacks would be at least double the number affected by the GoAnywhere hacks. Crowe LLP, with offices across nearly twenty US states as well as in India and the Philippines, is an independent member of Crowe Global. The firm’s confirmation of the incident and its limited scope was provided by Manny Goncalves, Crowe’s Principal and Chief Strategy & Communications Officer, in a statement to Cybernews on Thursday, May 31, 2023.