Cyber Incident Victim: Talcott Resolution Life and Annuity Insurance

The Clop ransomware group initiated a campaign targeting a previously unknown vulnerability in Progress Software's MOVEit Transfer file transfer software around May 27 and May 28, 2023. This vulnerability, designated CVE-2023-34362, was a SQL injection flaw. The attackers infected internet-facing MOVEit Transfer web applications with specific malware, which was then used to steal data from the underlying MOVEit Transfer databases. Progress Software identified the flaw and issued a patch on May 31, 2023. Shortly after this initial patch, the company discovered and patched two additional zero-day vulnerabilities, though there was no indication these subsequent flaws had been exploited by attackers.

The campaign was a widespread supply chain attack that ultimately affected approximately 150 organizations. The personal data of over 16 million individuals was compromised. The attack method was opportunistic, focusing on any organization using the vulnerable software. The Clop group employed a clear extortion tactic: organizations that paid a ransom received a promise that their stolen data would be deleted and their name would not appear on the gang's data leak site. Those that did not pay were listed on the site, and their data was slowly leaked over time. The group stated on its leak site, "We leak names slowly to give big companies time to contact us." How many organizations chose to pay the ransom demand remained unclear.

The list of victim organizations was extensive and crossed multiple sectors, including government, education, healthcare, finance, and energy. Talcott Resolution Life Insurance Company was named as one of the recently identified victims. In the U.S. government, affected entities included the Department of Energy, the Department of Agriculture, and the Office of Personnel Management. Numerous state-level organizations were also impacted, including the Maryland Department of Health and Human Services, the Minnesota and New York City departments of education, and the states of Louisiana and Oregon, which both reported that information for residents with a driver's license or state ID had been stolen.

The education sector was heavily targeted, with victims including the University of California, Los Angeles (UCLA), and the universities of Georgia, Johns Hopkins, Missouri, Rochester, and Southern Illinois. Major corporations were also affected, such as Siemens Energy, Extreme Networks, the oil and gas giant Shell, and financial services firms 1st Source and First National Bankers Bank. Professional services firms EY and PwC were also compromised. Healthcare-related organizations, including the American Board of Internal Medicine and healthcare software firm Vitality Group International, were named as victims.

A significant number of breaches occurred through third-party service providers. The Tennessee Consolidated Retirement System reported a breach affecting 171,836 retirees because their third-party service provider, PBI Research Services, which used MOVEit, fell victim to the campaign. Other customers of PBI included Genworth Financial and the California Public Employees' Retirement System (CalPERS), which manages the largest public pension fund in the United States. In the United Kingdom, the payroll provider Zellis was breached, leading to the compromise of information for eight of its customers, including the BBC, the Boots pharmacy chain, and British Airways.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint alert to detail the attack methodology and provide assistance. The FBI's Cyber Division assistant director, Bryan Vorndran, urged all organizations affected by the Clop campaign to alert the bureau if they had not already done so. The agencies continued to probe the attacks and assist victims. Despite the widespread nature of the incident, CISA Director Jen Easterly reported that the agency had not seen and did not expect to see any "significant impacts" from what it characterized as an "opportunistic" campaign. Easterly stated that the incident was not considered to pose a systemic risk on the level of the SolarWinds campaign.

The financial and operational impact on victim organizations was significant, as they were required to invest resources into investigating the breach, providing notifications to affected individuals, and mitigating the damage. The Clop group claimed to have deleted data stolen from approximately 30 government agencies or contractors, stating on its data leak site, "We are only financial motivated and do not care anything about politics," in an apparent attempt to avoid becoming a national security target. The grammatical errors in this statement were consistent with the group's typical communications. The full scope of the attack continued to be revealed over time as more organizations completed their investigations and issued public notifications.