Cyber Incident Victim: 1st Source Bank

On or around May 1, 2023, the Russia-linked ransomware gang known as Clop began exploiting a critical security vulnerability in the MOVEit Transfer file transfer tool, a popular application used by corporations and enterprises to share large files over the internet. This mass exploitation campaign followed a period of reconnaissance, with researchers from the American risk consulting firm Kroll later reporting that Clop may have been experimenting with ways to exploit this particular vulnerability as far back as 2021. The sophisticated planning and knowledge behind this activity indicated a prolonged period of preparation prior to the widespread attacks commencing in May. The developer of the MOVEit software, Progress Software, became aware of the flaw and subsequently issued a patch; however, this corrective action was not deployed before a significant number of its customers had already been compromised by the threat actors.

The initial wave of compromises affected a diverse range of organizations globally. Among the early victims were the BBC, Aer Lingus, and British Airways. These entities were impacted indirectly through their reliance on the HR and payroll software supplier Zellis, which confirmed that its own MOVEit system had been successfully breached by the attackers. The Government of Nova Scotia, which utilized MOVEit to share files across its various departments, also confirmed it was affected and stated that the personal information of an unknown number of its citizens may have been compromised as a result of the intrusion. This pattern of attacks demonstrated the broad and cascading impact of exploiting a single point of failure within a widely used third-party software product.

In a departure from its typical ransomware operations, Clop did not immediately initiate contact with the organizations it had hacked to demand a ransom payment. Instead, on June 14, 2023, the gang posted a blackmail message on its dark web leak site. This message instructed victim organizations to contact the gang directly before a specified deadline. Following this deadline, on June 15, Clop began listing the first batch of organizations it claimed to have successfully hacked by exploiting the MOVEit flaw. This public listing served as a form of extortion, pressuring victims to negotiate. The published victim list included numerous U.S.-based financial services organizations, including 1st Source. Other named victims included First National Bankers Bank, the Boston-based investment management firm Putnam Investments, the Netherlands-based Landal Greenparks, and the U.K.-based energy giant Shell. Additional entities listed were the financial software provider Datasite, the educational non-profit National Student Clearinghouse, student health insurance provider United Healthcare Student Resources, American manufacturer Leggett & Platt, Swiss insurance company ÖKK, and the University System of Georgia.

The public listing of 1st Source on Clop's leak site confirmed its status as a victim of this campaign. The gang claimed to have downloaded "alot [sic] of your data" from the listed organizations. At the time the list was published, no stolen data from 1st Source or the other named victims had been publicly released. The gang's message included a specific note for government and police services, claiming, "we erased all your data," though the veracity of this claim could not be independently confirmed. Some organizations, such as GreenShield Canada, a non-profit benefits carrier, were initially listed but were later removed from the leak site, suggesting potential behind-the-scenes negotiations may have been occurring.

In response to being listed, affected organizations began to assess the damage and issue statements. A spokesperson for the University System of Georgia stated that the university was “evaluating the scope and severity of this potential data exposure” and noted that notifications would be issued to any affected individuals if necessary, consistent with federal and state law. Other listed victims did not immediately respond to requests for comment. A spokesperson for the German mechanical engineering company Heidelberg, which was also listed, confirmed the company was aware of its mention on Clop's site and characterized the incident as one connected to a supplier software that occurred a few weeks prior. The spokesperson stated the incident was "countered fast and effectively" and, based on their analysis, did not lead to any data breach, presenting a contrast to the gang's claims.

As the incident unfolded throughout June, new victims continued to come forward and disclose their involvement. Johns Hopkins University confirmed a cybersecurity incident it believed was related to the MOVEit mass-hack. The university stated the breach “may have impacted sensitive personal and financial information,” including names, contact details, and health billing records. The U.K.’s communications regulator, Ofcom, also confirmed that confidential information had been compromised. Its statement detailed that hackers had accessed data about the companies it regulates, in addition to the personal information of 412 Ofcom employees. According to other news reports, Transport for London (TfL), the government body responsible for the city's transport services, and the global consultancy firm Ernst and Young were also impacted. The full extent of the attacks remained unknown, with researchers noting that thousands of MOVEit servers, most located in the United States, were still discoverable on the internet, suggesting the potential for further compromises to be revealed. This incident was part of a pattern of mass-attacks perpetrated by the Clop gang, which had previously exploited flaws in other file transfer tools, including Fortra’s GoAnywhere and Accellion’s file transfer application.