Global Courant
US and UK cybersecurity officials have warned that the hack by a Russian cyber-extortionist gang of a popular file transfer program among businesses could have widespread global impact. The first victims of data theft include the BBC, British Airways and the Government of Nova Scotia.
“This is possibly one of the most significant breaches in recent years,” said Brett Callow, an analyst at the cybersecurity firm Emsisoft. “We’ll have a better idea of how important it is as more details emerge about the number and type of organizations affected.”
The Cl0p ransomware syndicate announced on its dark website late Tuesday that its victims — whom it suggests number in the hundreds — had until June 14 to get in touch to negotiate a ransom or risk losing sensitive stolen data. were dumped online.
The abused program, MOVEit, is widely used by companies to securely share files. The American maker’s parent company, Progress Software, warned customers about the breach on May 31 and released a patch. But cybersecurity researchers say dozens, if not hundreds, of companies will have had sensitive data quietly filtered out by then.
“There are bound to be organizations that don’t even know they’ve been affected yet,” said Caitlin Condon, senior manager of security research at cybersecurity firm Rapid7, noting that MOVEit is especially popular in North America.
“We have seen a wide range of organizations impacted by this attack across healthcare, financial services, technology, manufacturing, insurance, government and more,” Condon said via email, adding that more companies can be expected to they disclose data theft, particularly “as regulatory reporting requirements come into play”.
Asked to confirm the identities of several reported victims, a Cl0p spokesperson responding to an Associated Press email inquiry said, “We have not yet examined the company files, as you can see on our site; we have given companies the ability to decide on their privacy before our actions.
Zellis, a leading provider of payroll services in the UK serving British Airways, the BBC and hundreds of others, was one of the affected users. Zellis said Monday that a “small number” of its customers were affected by what cybersecurity professionals call a supply chain breach because compromising a single software vendor can have such a big impact.
“We have notified colleagues whose personal information has been compromised to provide support and advice,” British Airways said in a statement.
The BBC, which employs about 22,000 people worldwide, said it was working with Zellis to determine the extent of the breach. The broadcaster said in an email sent to all UK employees and freelancers on Monday that details including dates of birth, social security numbers and home addresses have been released. But it said the bank account details had apparently not been compromised and there was “no evidence that the data was misused”.
British drugstore chain Boots, which employs more than 50,000 people, also said it had notified staff of the hack.
The Nova Scotia government on Sunday confirmed it was one of the victims, saying some residents’ records had been made public. The Canadian Province of Health uses MOVEit to share sensitive and confidential information.
The University of Rochester released a statement last Friday suggesting it was one of the victims, but a spokesperson, Sara Miller, would not confirm it was using MOVEit or discuss what data was stolen.
‘Extremely sensitive data’
“What’s troubling about MOVEit is that it’s used almost exclusively by corporate organizations to share extremely sensitive data with each other,” said Jared Smith, a threat analyst at cybersecurity firm SecurityScorecard. Essentially, companies that don’t trust Dropbox or Google Drive are safe enough for their business.
And that specifically means the kind of sensitive data that “adds more fuel to the fire of the already existing identity theft ecosystem,” said Alex Heid, chief research officer at Security Scorecard.
The company discovered 2,500 vulnerable MOVEit servers at 790 organizations, including 200 government agencies. Smith said it was not possible to break down those agencies by country. It was not known how many vulnerable MOVEit servers were hacked.
As early as March 29, the hackers were actively searching for targets, penetrating them and stealing data, Smith said.
Cl0p is one of the world’s most prolific cybercrime syndicates, and this isn’t the first time it has breached a file transfer program to gain access to data it could then use to extort companies. Other examples include GoAnywhere servers in early 2023 and Accellion File Transfer Application devices in 2020 and 2021.
In a joint advisory released Wednesday, the US Cybersecurity and Infrastructure Security Agency and the FBI say Cl0p is estimated to have “compromised more than 3,000 US-based organizations and 8,000 global organizations.”
“Because of the speed and ease (with which it) has exploited this vulnerability and based on their previous campaigns, the FBI and CISA expect widespread exploitation of unpatched software services in both private and public networks.”
Cl0p claims it is not extorting governments, cities or police stations, but cybersecurity experts say this is likely a tactic to avoid direct conflict with law enforcement and that the financially motivated gang cannot be trusted to keep its promise to wipe data that has been stolen from those targets.
