Cyber Incident Victim: Ofcom
Date:
May 2023
Location:
United Kingdom
Summary
The UK communications regulator Ofcom suffered a cyberattack where hackers exploited a vulnerability in the MOVEit file transfer tool. Confidential information on companies it regulates was downloaded, along with personal data belonging to 412 of its employees. The incident was part of a wider global campaign attributed to the Clop ransomware group, which has impacted numerous organizations. The regulator took immediate action to prevent further use of the service and alerted all affected companies.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 29, 2023, Britain’s communications regulator Ofcom announced that it had fallen victim to a cyberattack. The incident involved the exploitation of a vulnerability within the MOVEit file transfer tool, a product widely used for secure data transfers. A spokesperson for Ofcom confirmed the organization was one of many affected globally by this specific MOVEit cyberattack. The attackers successfully downloaded a limited amount of confidential information. This compromised data pertained to certain companies regulated by Ofcom and included commercially sensitive details. In addition to the corporate data, personal information belonging to 412 Ofcom employees was also exfiltrated during the attack.
The attack was attributed to the ransomware group known as Clop. Microsoft had previously issued warnings that this group was behind attempts to exploit the vulnerability in the MOVEit software. Following the attack, Clop published an extortion note claiming responsibility for compromising hundreds of businesses. The group issued a threat, warning victims that they must proactively contact the gang to negotiate a ransom payment. A deadline of June 14 was set; if organizations did not make contact by that date, Clop threatened to name them publicly on the group's extortion website. This public shaming and extortion tactic is a common practice for the group.
The scale of the global incident was significant, extending far beyond Ofcom. Security researchers had identified more than 2,000 instances of the MOVEit Transfer tool exposed to the public internet in the days following the vulnerability's disclosure. The majority of these exposed instances were located within the United States. Within the United Kingdom, 128 instances of the software were found to be internet-facing. The number of companies ultimately impacted by the campaign was believed to be much higher than the number of exposed instances, as a single compromised organization using MOVEit could affect multiple downstream customers.
This downstream effect was clearly demonstrated through the compromise of Zellis, a UK-based payroll services provider. Zellis was identified as a victim of the same MOVEit exploitation campaign. Because Zellis held payroll data for numerous other companies, its breach led to the compromise of at least four major businesses operating in Britain and Ireland. These confirmed affected organizations included the BBC, British Airways, Boots, and Aer Lingus. The breach at Zellis showed how an attack on a single service provider could have a cascading effect across an entire supply chain, amplifying the overall impact of the initial vulnerability.
In response to the incident, Ofcom took immediate action to prevent further unauthorized access and data loss. The organization halted further use of the MOVEit service entirely. It then implemented the security measures recommended by the software vendor to mitigate the vulnerability. Ofcom also undertook swift notification procedures, alerting all the Ofcom-regulated companies whose information had been downloaded by the attackers. Internally, the regulator offered support and assistance to its 412 employees whose personal data was taken. A spokesperson stated that Ofcom takes the security of commercially confidential and sensitive personal information extremely seriously.
Concurrently, the software company Progress, the developer of the MOVEit tool, was actively responding to the discovery of vulnerabilities within its product. The company had initially released patches for the first vulnerability that was being exploited. However, in the week following the initial disclosures, Progress announced the discovery of a second, new vulnerability affecting the MOVEit software. This led to further announcements of breaches and required additional patching and mitigation efforts from its customer base, complicating the response for many organizations already dealing with the initial attack. The incident underscored the ongoing challenges faced by software vendors and their customers in responding to critical vulnerabilities under active exploitation by sophisticated threat actors. The full extent of the data exfiltrated from Ofcom and the ultimate consequences of its theft were not fully detailed in the immediate aftermath of the announcement.