Cyber Incident Victim: KK

On or around May 31, 2023, the Russia-linked ransomware gang known as Clop began exploiting a critical security vulnerability in Progress Software’s MOVEit Transfer application, a popular corporate tool used for sharing large files over the internet. This exploitation activity followed the public disclosure and patching of the vulnerability by Progress Software, though the compromise of customer systems had already occurred. The gang’s campaign constituted a mass-hack targeting the numerous organizations globally that utilized the file transfer software. The initial wave of attacks was not immediately public, as the threat actors silently exfiltrated data from vulnerable systems without deploying ransomware or immediately contacting victims.

The incident entered a new phase on June 14, 2023, when Clop posted a message on its dark web leak site, listing the first batch of organizations it claimed to have successfully hacked. This list served as a public confirmation of the breaches and initiated a blackmail process. Unlike their typical modus operandi, Clop did not proactively contact the listed victims to demand a ransom. Instead, the public message instructed the affected organizations to initiate contact with the gang before a stated deadline of June 14. The message claimed the gang had downloaded "alot of your data" but, at the time of reporting, no stolen data had been published. The initial victim list included a diverse range of sectors and geographies, highlighting the widespread impact of the campaign. U.S.-based financial institutions 1st Source and First National Bankers Bank were named, alongside Boston-based investment firm Putnam Investments. European entities were also affected, including the Netherlands-based vacation park operator Landal Greenparks, U.K. energy giant Shell, and Swiss insurance company ÖKK. Educational and non-profit organizations were heavily represented, with the University System of Georgia (USG), the educational non-profit National Student Clearinghouse, and student health insurance provider United Healthcare Student Resources all appearing on the list. Other named victims included financial software provider Datasite and American manufacturer Leggett & Platt. GreenShield Canada, a non-profit health benefits carrier, was initially listed but was later removed from the leak site, though the reason for its removal was not disclosed.

The public listing of victims prompted a series of responses and confirmations from the affected organizations. A spokesperson for the University System of Georgia stated the institution was “evaluating the scope and severity of this potential data exposure” and indicated that notifications would be issued to affected individuals if necessary, in compliance with federal and state law. Heidelberg, a German mechanical engineering company, confirmed its mention on the Clop leak site but characterized the incident as one connected to a supplier software that occurred a few weeks prior. A company spokesperson stated the incident was “countered fast and effectively” and that, based on their analysis, it “did not lead to any data breach.” Many other listed victims did not provide immediate public statements in response to the listing.

Concurrently, it was revealed that numerous other organizations had already disclosed compromises related to the same MOVEit vulnerability prior to Clop’s public shaming. These victims were primarily compromised through supply-chain attacks. HR and payroll software supplier Zellis confirmed its MOVEit system was compromised, which in turn impacted its customers, including the BBC, Aer Lingus, and British Airways. The Government of Nova Scotia, which used MOVEit to share files across departments, confirmed it was affected and stated that some citizens’ personal information may have been compromised. In a notable message on its leak site directed at certain public sector entities, Clop claimed, “if you are a government, city or police service… we erased all your data.”

Following the initial victim listing, new organizations continued to come forward to confirm their involvement in the incident. Johns Hopkins University confirmed a cybersecurity incident believed to be related to the MOVEit mass-hack, stating the breach “may have impacted sensitive personal and financial information,” including names, contact details, and health billing records. The U.K.’s communications regulator, Ofcom, confirmed that hackers had accessed some confidential information, including data about the companies it regulates and the personal information of 412 Ofcom employees. According to other news reports, Transport for London (TfL), the body responsible for London’s transport services, and global consultancy firm Ernst and Young were also impacted. The full extent of the attacks remained unknown, with researchers noting that thousands of MOVEit servers, most located in the United States, were still discoverable on the internet, suggesting the number of victims was likely to grow in the coming days and weeks.

Further analysis into the attack timeline indicated that Clop’s exploitation efforts may have begun much earlier than late May 2023. American risk consulting firm Kroll reported that while the vulnerability was publicly disclosed in late-May, its researchers had identified activity suggesting Clop was experimenting with ways to exploit this specific vulnerability as far back as 2021. This finding pointed to a prolonged period of reconnaissance and planning by the threat actors, illustrating a sophisticated approach to the mass exploitation event. This incident was not Clop’s first foray into mass-attacks on file transfer systems; the group was also responsible for previous campaigns that exploited flaws in Fortra’s GoAnywhere file transfer tool and Accellion’s file transfer application. The consequences of the MOVEit incident were primarily the potential exposure of vast quantities of sensitive data. The types of data at risk included personal identifiable information, financial records, health information, and confidential corporate or governmental data. The primary response action from victims involved initiating internal investigations to determine the scope of the data exposure, with many committing to provide notifications to affected individuals as required by law. Containment efforts involved applying the available software patches and securing vulnerable systems, though for many organizations, these measures were implemented after the initial compromise had already taken place.