Cyber Incident Victim: AbbVie

On or around May 28, 2023, the cl0p ransomware gang initiated a widespread cyberattack by exploiting a previously undiscovered vulnerability in the MOVEit Transfer file transfer program. This incident was not a direct attack on AbbVie's internal systems but rather a compromise of the third-party file transfer service utilized by the company and numerous other organizations. The attackers leveraged this flaw to gain unauthorized access and exfiltrate data from the servers running the vulnerable MOVEit software. The cl0p group, which security researchers identify as Russia-linked or Russian-speaking, is known for its ransomware-as-a-service model, where it provides hacking tools and infrastructure to other cybercriminals in exchange for a portion of the extorted funds. The group has also been credited with helping to pioneer the practice of double-extortion, a tactic employed in this incident where data is stolen and victims are threatened with its public release unless a ransom is paid.

The attack's impact was broad and indirect, stemming from the compromise of a common software tool used by a wide swathe of entities to transfer sensitive files. For AbbVie, a global biopharmaceutical company, this resulted in the theft of data that was being handled through the MOVEit application. The specific nature and volume of the data taken from AbbVie were not detailed in public disclosures. The cl0p gang publicly claimed responsibility for stealing data from AbbVie Inc., among other victims, by listing the company on its darknet leak site on Tuesday, June 27, 2023. This name-and-shame tactic is a standard procedure for the group, designed to pressure victims into paying a ransom by threatening to publish the stolen confidential information.

The total scope of the MOVEit campaign was extensive. According to cybersecurity firm Emsisoft, the number of victim organizations reached 121, with at least 15 million individuals affected; the true number was assessed as likely being much higher, potentially "much, much higher." Other publicly claimed victims included major corporations and institutions such as the University of California, Los Angeles, Siemens Energy, Schneider Electric, Sony, accounting firms EY and PwC, energy giant Shell PLC, and the leading U.S. pension fund Calpers. Government departments, including the U.S. Energy Department and the U.K.'s telecom regulator, were also impacted. The widespread nature of the compromise created an overwhelming workload for cybersecurity professionals and law enforcement agencies investigating the breaches.

In response to the incident, the Federal Bureau of Investigation (FBI) confirmed it was aware of and investigating the exploitation of the MOVEit vulnerability by malicious ransomware actors. The U.S. government had previously announced a reward of up to $10 million for information linking the cl0p group or any other malicious cyber actors targeting American critical infrastructure to a foreign government. The software vendor, Progress Software, disclosed the zero-day vulnerability and released patches to secure the MOVEit Transfer application. Affected organizations, including AbbVie, were urged to apply these patches immediately to prevent further exploitation. The primary consequence for AbbVie was the confirmed compromise of its data, which exposed the company, its employees, clients, or business partners to potential secondary harms such as fraud or identity theft due to the theft of personal or sensitive information. The incident underscored the significant supply chain risks posed by vulnerabilities in third-party software and services upon which large enterprises routinely rely.