June got off to a rocky start for several high-profile companies across the UK. Boots, a health, beauty, and pharmacy retailer, national carrier British Airways, and national news channel BBC are among a string of businesses targeted by a group of hackers.
The threat actors, known as Clop, are responsible for numerous hacks over the last few years, and have demanded payment from the victims of their latest attack. With pension data, banking details, and personal information being exploited, tens of thousands of people in the UK have been left panic-stricken and at risk of fraud.
Despite numerous data compliance laws and regulations and promises from companies that user data is secure, threat actors are still able to exploit vulnerabilities and compromise accounts.
Here’s what we know about the data breach and the threat actors:
The Data Breach: An Overview
Two national corporations and one of the UK’s biggest retailers have been delivered an ultimatum: money in exchange for user data pilfered from their database. The BBC, British Airways, and drugstore chain Boots were all part of a major data breach executed by a cybercrime group known as Clop. Using the dark web, they posted their demands for a ransom payout, failing which they promised to release the stolen data.
The companies involved were not directly targeted, rather, Clop exploited vulnerabilities in MOVEit, a third-party file transfer software used by corporates.
Who is behind the attack?
According to Microsoft, the threat actors responsible were identified by using a ransomware strain called Clop; which also happens to be the name of the site where user data is released if victims fail to make payments.
According to industry reports, Clop is one of the most active threat actor groups in the world, with one hack in 2023 impacting over 65 million people.
Secureworks, a US cybersecurity firm, said the people behind Clop are Russian-speaking and possibly based in Russia or members of the Commonwealth of Independent States (CIS) – the grouping of former members of the USSR that includes Belarus, Kazakhstan, and Moldova.
“It’s a Russian-speaking organized cybercrime gang, not necessarily all based in Russia, although likely to be in Russia or CIS countries,” said Rafe Pilling, a director for threat research at Secureworks.
What is the gang demanding?
In a message in broken English posted on the Clop dark web addressed “Dear Companies”, it said that for companies who use MOVEit the “chance is that we download a lot of your data as part of an exceptional exploit.”
It goes on to ask that users of MOVEit software contact the group via a pair of provided email addresses, which will prompt the sending of a chat URL that will be used — over an anonymized browser network — to start negotiations. The deadline for doing this is 14 June, they say, or else “we will post your name on this page.”
The group indicates that non-compliant hack victims will start to have their data published around 21 June, stating that “after 7 days, all your data will start to be [published]”.
If an organization gets in touch, they will be shown proof the gang has their data, and they will have three days to “discuss price” for deleting that data. The message does not contain a price list or a means of payment.
How did the attack happen?
This was not a conventional ransomware attack, where a gang accesses a victim’s IT networks, effectively locks up their computers via a piece of malicious code, and then demands payment to restore access or delete/hand back data stolen during the attack. Instead, this was an attack that exploited a previously unknown flaw in MOVEit and allowed the gang to extract data undetected without locking up the victims’ networks. Such a flaw is known as a zero-day vulnerability because of the lack of time between the discovery of the weakness and its exploitation by attackers.
According to Secureworks, the MOVEit attack appears to have been carried out by a dedicated team within the group, specialized in secure file transfers. Similar attacks on file transfer infrastructure have been linked to the group.
Not every victim was a direct user of MOVEit. One of the affected companies was Zellis, which provides outsourced payroll services to third parties. As a result, many Zellis customers had their employees’ personal data stolen in the attack.
Should the victims pay?
The British and US governments strongly advise against paying cyber ransoms. Last year the UK’s data watchdog and National Cyber Security Centre wrote to legal professionals in England and Wales stressing that law enforcement did “not encourage” the payment of ransoms, although payments were not usually unlawful. It is illegal to pay ransoms if the affected entity knows or has reason to suspect the proceeds will be used to fund terrorism.
In the US, payment of ransoms is discouraged by the government, but an advisory note from the US Treasury in 2020 emphasized this was “explanatory only” and did “not have the force of law.” Unlike conventional ransomware attacks, where victims are able to verify whether they have restored access to data after paying the ransom, for “hack and leak” attacks, those who do pay the ransom have to take it on trust their attacker has deleted the data as promised.
In its ransom note to victims, Clop promises not to betray them any further. “Our team has been around for many years. We have not even one time not done as we promised. When we say data is deleted, it is because we show video proof. We have no use for a few measly dollars to deceive you.” [These quotes were edited for readability.]
What should affected individuals do?
“Given the detail of the leaked information, even including banking details, fraud is one of the biggest risks to affected customers right now,” said Nick Guite of the cybersecurity experts SysGroup.
“This information is often sold on the dark web or in databases to criminal groups. They can then use it for identity theft, cloning, or malicious phishing attacks to gain even more personal information.
“If your company uses Zellis or has in any way been impacted by this breach, I’d highly recommend contacting an expert. Also, updating passwords and being vigilant for unexpected emails or phone calls will be important.”
Concluding Thoughts
Data breaches shake the confidence of customers and cause a major loss of trust in institutions that are unable to protect their data. Of particular concern is the fact that pension data was released. This is incredibly sensitive and caused mass panic in over 20,000 people.
Threat actors like Clop hack companies and try to extort money from their victims. Alternatively, they try to sell data on the dark web. With this particular hack, they exploited vulnerabilities in data transfer software called MOVEit, and its affiliated organizations.
Customers are urged not to engage with threat actors or comply with their demands, but this isn’t enough to help customers feel secure. The best case scenario, according to experts, is to change passwords and remain vigilant as their personal information is now at risk for fraud.
Last year, Clop targeted 16 million people, and with this latest breach, there seems to be no end to their hacking reign of terror.
