Cyber Incident Victim: Telos

On or around May 31, 2023, Progress Software, the developer of the MOVEit Transfer application, informed Telos Corporation, a US defense contractor specializing in cybersecurity, of a critical vulnerability within the platform. Upon receiving this notification, Telos immediately took its MOVEit Transfer platform offline. This action was taken to prevent further potential exploitation of the vulnerability. The company promptly engaged third-party cybersecurity experts to conduct a thorough investigation into the incident to determine the scope and impact of the vulnerability on its systems and data.

The investigation concluded that prior to the notification from Progress Software, attackers had successfully exploited the MOVEit zero-day vulnerability to gain unauthorized access to Telos’s MOVEit Transfer server. This exploitation resulted in the unauthorized downloading of information related to a limited number of Telos clients. The attackers responsible for this breach were identified as the Cl0p ransomware gang, a Russia-linked cybercrime syndicate also known by the names TA505, Lace Tempest, Dungeon Spider, and FIN11. This group has been operational since at least 2019 and operates under a Ransomware-as-a-Service (RaaS) model.

The Cl0p gang employed the MOVEit vulnerability to access and exfiltrate data stored on the secure file transfer service. The MOVEit zero-day flaw specifically affected MOVEit Transfer’s servers, allowing threat actors to access and download data stored within the system. As organizations like Telos used MOVEit to send and receive files from clients through secure channels, the exploitation provided the attackers with a vector to acquire sensitive information. Following the breach, the Cl0p gang listed Telos Corporation on its dark web leak site, a platform it uses to showcase its victims and pressure them into paying ransoms. This listing occurred around June 14, 2023, alongside other major corporations such as Shell Global and Norton LifeLock (Gen Digital). In a subsequent development, the Cl0p gang later removed Telos’s name from its list of victims. This act was potentially related to the gang’s publicly stated promise to delete any stolen data that belonged to government agencies, a category of entity that constitutes a significant portion of Telos’s client base.

Telos’s clientele includes prominent US government agencies and major defense contractors. Its customers include the US Department of Defense (DoD), the US Department of State, and Raytheon Technologies. The company provides highly sensitive systems and services to the US military, including cybersecurity equipment to support the Air Force’s communications architecture, support for weapons systems, and mission areas under Air Combat Command defensive cyber operations. The nature of this work means that a breach involving client data, even if limited, carries significant potential risk due to the sensitive government and enterprise customers involved.

Upon completing its investigation, Telos notified the affected clients about the data breach. The company committed to continuing its support for these clients in their response to the MOVEit attacks orchestrated by the Cl0p gang. Telos explicitly stated that it did not engage with the threat actor at any point during the incident. Furthermore, the company confirmed that it did not pay a ransom to the Cl0p gang, nor did any other entity pay a ransom on its behalf. This indicates a firm stance against complying with the extortion demands of the cybercriminals.

The broader MOVEit attack campaign impacted hundreds of organizations globally. Experts estimated that approximately 3,000 deployments of the MOVEit application were active at the time the vulnerability was first discovered, representing a large attack surface. The extent of data exposed in each individual breach varied depending on how each specific company utilized the file transfer system. For instance, another victim, Gen Digital (the parent company of Norton LifeLock), reported that the incident impacted the personal information of its employees and contingent workers, including details such as names, company email addresses, employee ID numbers, and, in limited cases, home addresses and dates of birth.

The Cl0p gang utilizes a double-extortion technique, which involves both stealing victim data and encrypting systems. They then threaten to publish the exfiltrated data on their leak site if a ransom is not paid. This group has a history of significant law enforcement intervention; in 2021, Ukrainian law enforcement executed several arrests and dismantled parts of the gang’s server infrastructure, forcing a temporary shutdown of operations from November 2021 to February 2022. Despite this setback, the gang had recovered and was actively conducting large-scale attacks by the time of the MOVEit vulnerability exploitation.

The incident at Telos is a specific instance within this widespread campaign. The primary impact was the unauthorized access and exfiltration of client data from the company’s MOVEit Transfer server. Telos’s response involved immediate containment by taking the vulnerable platform offline, a thorough investigation with external experts, and transparent communication with the clients whose data was compromised. The company’s public statements focused on the completed investigation, the limited scope of affected clients, and its refusal to negotiate with or pay the threat actors. The removal of Telos from Cl0p's leak site suggests that the gang may have followed through on its policy regarding government data, though this was not explicitly confirmed by Telos in the provided information. The event highlights the risks associated with third-party software vulnerabilities, even for cybersecurity companies that serve critical national security functions.