Cyber Incident Victim: Royal Dutch Shell

On or around May 27, 2023, the Clop ransomware gang exploited a zero-day vulnerability in the MOVEit Transfer secure file transfer platform. This attack was part of a broader campaign targeting numerous organizations that utilized this software for secure file transfers. The threat actors took responsibility for the attacks, claiming to have breached hundreds of companies. They issued a warning that the names of these companies would be added to a data leak site on June 14th if negotiations did not occur. The gang further stated that if extortion demands were not paid, they would begin leaking the stolen data publicly on June 21st.

The Shell Oil Company was among the organizations impacted by this widespread attack. On June 1, 2023, the Clop gang began listing victim companies on their data leak site. Shell was one of the first thirteen companies named in these initial listings. This public listing on the cybercriminal's extortion site served as the primary method for notifying victims and applying pressure for payment. The inclusion of Shell on this site indicated that the attackers had successfully exfiltrated data from the company's MOVEit Transfer server during the exploitation window.

In response to its listing, Shell confirmed to BleepingComputer that it had been impacted by the MOVEit attacks. The company stated that the security incident had affected a small number of its employees and customers. This public acknowledgment confirmed Shell's status as a victim of this specific cyber incident. The nature of the attack was a data theft, not a ransomware encryption event, as the Clop gang exploited the vulnerability to steal files directly from the MOVEit servers without deploying encryption payloads on Shell's internal network.

The incident was part of a much larger pattern of breaches. Other organizations concurrently listed on the data leak site and confirming impacts included UnitedHealthcare Student Resources, the University of Georgia, the University System of Georgia, Heidelberger Druck, and Landal Greenparks. Numerous other entities, including Zellis (impacting the BBC, Boots, and Aer Lingus), the University of Rochester, the governments of Nova Scotia, Missouri, and Illinois, also disclosed breaches stemming from the same MOVEit vulnerability. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) was reported to be working with several U.S. federal agencies that had also been compromised, including two entities within the Department of Energy.

The attackers' methodology followed a pattern previously established in other attacks against managed file transfer solutions, including Accellion FTA and GoAnywhere MFT. In those prior incidents, the threat actors had demanded ransoms as high as $10 million to prevent the public leakage of stolen data. However, evidence from the GoAnywhere attacks suggested that the extortion operation was not highly successful, as many companies chose to disclose data breaches rather than pay the ransom. It was not publicly disclosed whether Shell or the other listed companies engaged in negotiations or paid any ransom demand to the Clop gang.

The consequences of the incident for Shell involved the potential exposure of sensitive data belonging to a limited number of employees and customers. The exact type and volume of data stolen from Shell were not detailed in public statements. In contrast, another victim, Landal Greenparks, disclosed that the threat actors had accessed names and contact information for approximately 12,000 guests, providing a reference point for the kind of personal information that may have been targeted in these attacks. The primary impact was the risk of this stolen information being publicly leaked, which could lead to secondary threats like targeted phishing campaigns against affected individuals.

The Clop gang made a specific claim regarding data stolen from government entities, stating they had automatically deleted any data belonging to military, children's hospitals, or government agencies. However, they provided no proof of this deletion, and as noted by security researchers, once data is stolen, there is no reliable method to verify if it has been truly destroyed. Therefore, all stolen data must be assumed to be at risk of exposure or misuse. This claim did not extend to corporate victims like Shell, whose data remained subject to the extortion threats.

The response from victim organizations varied. Some, like the University System of Georgia and UnitedHealthcare Student Resources, stated they were still investigating the attack and would disclose any confirmed breaches at a later time. German printing company Heidelberger Druck, while confirming its use of MOVEit Transfer, stated its analysis indicated the incident did not lead to a data breach. Shell's response was to confirm the impact and disclose its limited scope. The public listing of a company named Greenfield CA was subsequently removed from the leak site, indicating either a mistake by the threat actors or that negotiations had resulted in its removal. The incident underscored the significant supply chain risk posed by vulnerabilities in widely used third-party software platforms, where a single flaw can lead to a mass compromise across multiple industries and sectors simultaneously.