Cyber Incident Victim: K&L Gates LLP

The MOVEit incident, attributed to the Russia-linked cybercrime group known for operating the Cl0p ransomware, exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer managed file transfer product. The attack campaign, which was actively monitored by cybersecurity firm Emsisoft, resulted in the compromise of data belonging to a significant number of organizations that utilized the file transfer solution. By June 29, 2023, threat analyst Brett Callow was aware of 138 confirmed organizations impacted, leading to the personal information of more than 15 million individuals being compromised. These figures were expected to rise as more victims continued to be identified.

The Cl0p group claimed responsibility for the attack, asserting it was the sole threat actor with knowledge of the MOVEit zero-day exploit prior to its patching. The group claimed to have targeted numerous organizations and initiated a process of publicly naming those entities that refused to pay a ransom or engage in negotiations. Over sixty organizations were listed on the group's leak site. This list included major corporations and institutions such as the energy giant Shell, from which data had already been leaked. Other named entities included Siemens Energy, Schneider Electric, the University of California, Los Angeles (UCLA), Sony, Ernst & Young (EY), PricewaterhouseCoopers (PwC), Cognizant, and AbbVie. The law firms Kirkland & Ellis and K&L Gates were also added to Cl0p’s leak website, confirming their status as victims.

Several of the named organizations confirmed their involvement in the incident. Siemens Energy and Schneider Electric both verified to SecurityWeek that they had been targeted. EY also confirmed it was targeted and stated an investigation into the incident was underway. In an emailed statement, the financial services giant said, "We have verified that the vast majority of systems which use this transfer service across our global organization were not compromised. We are manually and thoroughly investigating systems where data may have been accessed." EY noted its priority was to communicate with those impacted, as well as the relevant authorities, and that its investigation was ongoing.

UCLA admitted the vulnerability had been exploited to gain access to its MOVEit platform. The university notified impacted individuals but clarified it did not consider the event a ‘ransomware incident’, likely because file-encrypting malware was not deployed in the attack. UCLA also noted there was no evidence of other campus systems being affected beyond the MOVEit platform.

The scope of the attack extended beyond the corporate world to include government entities. Emsisoft’s monitoring indicated over a dozen government organizations were caught up in the incident. These included the US Department of Energy, the Health Department, the New York City Department of Education, and the Oregon Department of Motor Vehicles. Despite this, the Cl0p group made a public claim on its website that it had deleted data obtained from more than thirty government and government-related organizations. The group stated it was not interested in such entities and highlighted that its motivation for the attacks was purely financial.

The attackers claimed to have been testing the vulnerability since 2021, suggesting a prolonged period of reconnaissance prior to the widespread exploitation campaign. The exploitation of the zero-day allowed the group to gain access to the file transfer systems of victim organizations, exfiltrating large volumes of data for extortion purposes. The typical deployment of file-encrypting ransomware did not occur; instead, the operation followed a data theft and extortion model, threatening to release stolen information unless payment was made.

The confirmed impacts were vast, affecting millions of individuals whose personal information was stored on the compromised MOVEit Transfer servers. The response from victim organizations largely involved initiating investigations, assessing the scope of the data breach, and beginning the process of notifying affected individuals and relevant regulatory authorities. Containment efforts focused on applying the available patch from Progress Software and conducting manual reviews of systems to determine where data may have been accessed. The long-term consequences involved significant operational disruption, potential regulatory fines, and the financial and reputational costs associated with a major data breach. The incident represented one of the most widespread cyber campaigns of the year, leveraging a single vulnerability to compromise a large cross-section of global enterprises and institutions.