Cyber Incident Victim: Kirkland & Ellis LLP
Date:
Jan 2021
Location:
United States of America
Summary
A Russia-linked cybercrime group exploiting a zero-day vulnerability in a managed file transfer product compromised data from over 130 organizations, including a major law firm, impacting millions of individuals. The Cl0p ransomware operators claimed sole access to the exploit, exfiltrated sensitive information without deploying encryption malware, and publicly listed entities like Kirkland & Ellis on their leak site after extortion attempts, while purporting to delete government data due to purely financial motives.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The MOVEit hack, attributed to the Russia-linked Cl0p ransomware group, exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer managed file transfer (MFT) solution, impacting over 130 organizations and compromising the personal information of more than 15 million individuals by late June 2023. Cl0p claimed exclusive knowledge of the vulnerability prior to its patching and asserted it had targeted numerous entities through the flaw, which it may have tested as early as 2021. The group adopted a strategy of publicly naming victims who refused to pay ransoms or negotiate, listing over 60 organizations on its leak site, including major corporations like Shell, Siemens Energy, Schneider Electric, Sony, and AbbVie, alongside professional services firms EY and PwC. Law firms Kirkland & Ellis and K&L Gates were also added to Cl0p’s leak site, though specific details regarding the extent of their data exposure or breach timelines were not publicly disclosed in available reports. Siemens Energy and Schneider Electric confirmed they were targeted, while EY acknowledged the incident and stated it was investigating potential data access, emphasizing that most of its global systems using MOVEit remained uncompromised. UCLA admitted attackers exploited the vulnerability to access its MOVEit platform but clarified the incident did not involve ransomware deployment or broader campus system compromises, and it notified affected individuals.
The attack’s scope extended beyond private sector entities, impacting over a dozen government organizations, including the US Department of Energy, the Health Department, the New York City Department of Education, and the Oregon DMV. Cl0p, however, claimed to have deleted data from more than 30 government-related organizations, asserting a purely financial motivation and disinterest in retaining such data. The incident highlighted the widespread reliance on MOVEit Transfer for sensitive data handling, with compromised organizations facing operational disruptions, reputational damage, and regulatory scrutiny. Brett Callow, a threat analyst at Emsisoft, tracked 138 confirmed victim organizations by June 29, 2023, with expectations of rising numbers as investigations continued. While some entities like Shell experienced confirmed data leaks, others, including Kirkland & Ellis, faced public exposure on Cl0p’s site without detailed confirmation of data exfiltration or specific response measures. The attackers’ focus on extortion rather than data encryption or destruction marked a shift in tactics, leveraging stolen data for financial gain while avoiding traditional ransomware payloads.