Cyber Incident Victim: Onex
Date:
Jan 2023
Location:
United States of America
Summary
A ransomware attack exploiting a vulnerability in Fortra's GoAnywhere file transfer software impacted approximately 130 organizations, with the Russia-linked Clop gang stealing sensitive data including employee information, tax documents, and payment records. Onex suffered unauthorized access leading to exfiltration of W-9 forms and employee details, while other affected entities spanned healthcare, finance, and municipal sectors, resulting in extortion threats and public data leaks; Fortra remained silent on breach specifics despite releasing patches post-incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The mass-ransomware attack exploiting a vulnerability in Fortra's GoAnywhere secure file transfer tool began in late January or early February 2023, though the precise start date remains unspecified. The Russia-linked Clop ransomware gang claimed responsibility, asserting it had compromised 130 organizations through this intrusion. Fortra, the developer of GoAnywhere, had concealed details of the vulnerability behind a login screen on its website until independent security reporter Brian Krebs publicly disclosed the flaw on February 2. Fortra released security patches on February 7, five days after Krebs' report, but attackers had already exfiltrated substantial data from multiple victims by then. Healthcare provider Community Health Systems became the first confirmed victim, disclosing the theft of health information belonging to at least 1 million patients from its GoAnywhere system. Digital finance firm Hatch Bank and cybersecurity company Rubrik subsequently confirmed breaches linked to the same vulnerability.
The incident's scope expanded throughout March 2023 as Clop gradually listed additional victims on its dark web leak site, using stolen data to extort payments. Canadian entities Investissement Québec and the City of Toronto confirmed unauthorized access through Fortra's systems, with Toronto initially denying data exfiltration on March 20 before revising its statement on March 23 to acknowledge compromised files. Hitachi Energy reported employee data theft tied to its GoAnywhere implementation. Clop published samples of data allegedly stolen from private equity firm Onex, including W-9 tax forms, payment orders, and employee details such as names, genders, and email addresses, though Onex did not respond to verification requests. Several listed organizations disputed the severity of claims—AvidXchange stated its GoAnywhere instance stored no sensitive data and was taken offline by Fortra, while Saks Fifth Avenue asserted only mock customer testing data was compromised. Other affected entities, including Galderma, ITx Companies, Brightline, Emerald Expositions, and MedMinder, declined to comment on potential breaches. Fortra did not publicly acknowledge the incident or clarify whether its internal systems hosting customer data were compromised, and multiple GoAnywhere users identified by TechCrunch—such as Homewood Health, Guinness Partnership, and Grupo Vanti—did not respond to inquiries. By late March, Clop had publicly identified fewer than half of the 130 organizations it claimed to have breached, leaving the full impact unresolved.