Cyber Incident Victim: ÖKK Kranken- und Unfallversicherungen AG
Date:
May 2023
Location:
Switzerland
Summary
ÖKK Kranken- und Unfallversicherungen AG was impacted by a Clop ransomware group attack exploiting a vulnerability in the MOVEit Transfer file-sharing tool. The attackers exfiltrated personal data, including first and last names, but the company's core health data system was not compromised. ÖKK took immediate measures, worked with external partners, and brought the affected platform back online after cybersecurity specialists gave the all-clear. The organization notified partner organizations and was assessing whether to directly inform its customers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around May 25, 2023, the ransomware group known as Clop initiated a widespread cyberattack campaign exploiting vulnerabilities in the MOVEit Transfer file transfer tool. This was not a traditional ransomware attack involving encryption of systems but rather a data theft and extortion operation, characterized as a "hack and leak" attack. The threat actors utilized previously unknown vulnerabilities in the software to gain unauthorized access to servers and exfiltrate data. The group publicly claimed responsibility for the mass exploitation on their darknet leak site, threatening to publish stolen data unless affected companies contacted them by June 14, 2023.
ÖKK Kranken- und Unfallversicherungen AG (ÖKK), a Swiss health and accident insurance provider, was among the many global organizations confirmed to have been impacted by this campaign. The company, which operates nationwide with 30 agencies, serves approximately 190,000 private individuals and 13,000 companies and public institutions, with an annual premium volume of 800 million Swiss francs and around 490 employees. The attackers successfully targeted ÖKK's implementation of the MOVEit Transfer software, which was used for file transfers. The breach resulted in the confirmed exfiltration of certain personal data from the compromised platform.
The specific data categories affected were person-related data, including first names and last names. A critical point confirmed by the company was that its core system containing sensitive health data was not compromised in the incident. This isolation of the breach to the MOVEit platform limited the scope of the data exposure to non-medical personal information. Upon discovery of the incident, ÖKK immediately implemented response measures. These actions included taking the affected MOVEit Transfer platform offline to sever the attacker's access and prevent further data loss.
ÖKK engaged external cybersecurity partners to assist with the investigation and response efforts. The external specialists conducted a forensic analysis of the event and provided an assessment of the situation. Following these investigations and the implementation of remedial actions, the cybersecurity experts gave preliminary clearance, indicating that the immediate threat had been contained. Subsequently, ÖKK restored the affected MOVEit Transfer platform by bringing it back online after it had been secured and reconfigured to prevent a recurrence of the unauthorized access.
The company's communication head, Patrick Eisenhut, publicly confirmed the cyberattack and its link to the global MOVEit exploitation campaign. As part of its response protocol, ÖKK proactively informed its partner organizations about the security breach. The company also undertook an internal review process to determine the necessity and method of directly notifying its customers about the incident, ensuring compliance with relevant data protection regulations and transparency with those whose data was affected. The incident highlighted the risks associated with third-party software vulnerabilities and the potential for supply-chain attacks affecting multiple enterprises simultaneously.
The Clop group followed through on its threat by listing ÖKK on its darknet leak site alongside other prominent victims, including the multinational energy company Shell and the Dutch holiday park operator Landal Greenparks. The public listing served as a pressure tactic to force negotiations for the deletion of the stolen data. The overall impact on ÖKK, while a serious security event, was assessed as limited in terms of data exfiltrated, given that the most sensitive health information stored in core systems remained secure and untouched. The primary consequences involved the potential exposure of personal identifiable information of individuals, carrying inherent risks of misuse, though the full extent of the data exfiltrated from ÖKK was not detailed beyond the confirmation of names being affected.
The response timeline indicates a rapid containment effort by ÖKK, involving taking the system offline, engaging external experts, and subsequently restoring the service after ensuring its security. The company's public communications aimed to provide factual confirmation of the event while reassuring stakeholders that critical health data systems were isolated from the breach. The incident formed part of a much larger global cybersecurity event impacting hundreds of organizations worldwide that utilized the MOVEit Transfer software, underscoring the broad and opportunistic nature of the Clop group's campaign against a common vulnerability in a widely used commercial product.