Cyber Incident Victim: Cognizant Technology Solutions

On or around May 30, 2023, the Cl0p ransomware group initiated a widespread campaign exploiting a zero-day vulnerability in Progress Software’s MOVEit managed file transfer software. The group claimed to have exploited this vulnerability to access the files of hundreds of organizations utilizing the MFT product. The cybercriminals asserted they were the sole group to have exploited the zero-day before it was patched and that they were the only ones in possession of the data stolen during the attack. Some evidence indicated that the attackers had known about this MOVEit vulnerability since 2021, but the mass exploitation of it did not commence until late May 2023.

France-based automation and energy management giant Schneider Electric was among the major corporations impacted by this campaign. The company stated it became aware of the MOVEit software zero-day on May 30, 2023. Upon discovery, Schneider Electric promptly deployed mitigations to secure its data and infrastructure in response to the immediate threat. Subsequently, on June 26, 2023, Schneider Electric was made aware of a claim by the Cl0p group that it had been a victim of a cyberattack related to the MOVEit vulnerabilities. The company's cybersecurity team initiated an investigation into this claim following its public disclosure by the threat actors.

Germany-based Siemens Energy, a spinoff of Siemens’ energy business, was also confirmed as a target in the same MOVEit attack campaign. The company was named on the Cl0p ransomware group's leak website alongside Schneider Electric during the week of June 28, 2023. Siemens Energy acknowledged it was among the targets and stated that it took immediate action in response to the incident. The company's analysis concluded that no critical data had been compromised and that its operations were not affected as a result of the attack.

The Cl0p group employed a tactic of publicly naming alleged victims on its dedicated leak website, adding pressure for organizations to pay a ransom. Throughout the campaign, the group listed numerous major organizations, including Sony, EY, PwC, Cognizant, AbbVie, and UCLA. It was reported as unclear at the time whether every named organization had been definitively targeted specifically in the MOVEit attack. The energy giant Shell was also named and confirmed it had been targeted; the attackers began leaking data allegedly stolen from Shell. The group claimed to have deleted all data obtained from government and government-related entities, stating a purely financial motivation and explicitly noting they "do not care about politics." Data from more than 30 such government organizations was allegedly deleted by the attackers.

The incident response for many organizations followed a pattern of initial patching and mitigation upon the vulnerability's public disclosure, followed by investigation into claims of data exfiltration after being named by the threat actors. The public confirmation of impact often came only after an organization was listed on the Cl0p leak site. The primary impact of the incident was the potential compromise and exfiltration of data stored on MOVEit transfer systems, leading to the threat of public data leakage. The consequences included potential reputational damage and the financial pressure of a ransom demand, though specific details regarding data types and volumes were not publicly disclosed for all victims. The operational impact for confirmed victims like Siemens Energy was reported as minimal, with no disruption to business functions. The broader campaign was notable for the scale of its impact across multiple industry sectors, including energy, professional services, healthcare, and entertainment.