👀 Ones to watch: The MOST undervalued stocks to buy right nowSee Undervalued Stocks

Factbox-Who is behind the sweeping MOVEit hack?

Published 06/27/2023, 02:34 PM
Updated 06/27/2023, 08:12 PM
© Reuters. FILE PHOTO: A man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel
SCHN
-
GOOGL
-
RDSa
-
SONY
-
GOOG
-

By Raphael Satter

(Reuters) - The cl0p ransomware gang is claiming a new set of victims from its hack of the MOVEit file transfer protocol, taking credit on Tuesday for having stolen data from the University of California, Los Angeles, Siemens Energy, Abbvie Inc and Schneider Electric (EPA:SCHN), among others.

The total number of recent victims from the online extortion ring has reached 121 organizations, according to Brett Callow, whose cybersecurity company Emsisoft helps companies respond to digital shakedown attempts. He said that at least 15 million people were affected.

Here's what is known about cl0p and its recent rampage.

Who are the hackers?

Cl0p's identity and location are not publicly known. But security researchers say the group is Russia-linked or Russian-speaking and its name could be a play on the Russian word for "bug." In 2021, Ukrainian authorities announced the arrests of six people tied to cl0p, but it's not clear that they were core members of the group, which continued to hack victims.

Cl0p is a ransomware-as-a-service gang, meaning that it hires out its software and infrastructure for other cybercriminals in return for a cut of the proceeds.

The group helped pioneer the practice of double-extortion, where cybercriminals take files hostage by encrypting them - then threaten to leak them online unless a payment is made. Japanese cybersecurity firm TrendMicro described cl0p as "a trendsetter for its ever-changing tactics."

The hackers - who sometimes spell their name "CLOP" - didn't immediately return an email seeking comment.

How did they rack up so many victims?

Cl0p was able to take advantage of a previously undiscovered flaw in a popular file transfer program - MOVEit Transfer - to steal data from a wide swathe of organizations, some of whom in turn were handling data belonging to yet more organizations.

Plundering file transfer protocols has become increasingly popular as hackers shift from encrypting data to simply stealing files and threatening to release them unless a ransom is paid.

If a victim doesn't pay, cl0p posts their identity to its darknet site - a name-and-shame tactic that has been playing out over the past several weeks.

Who has been affected?

Publicly claimed victims include entertainment company Sony (NYSE:SONY), major accounting firms EY and PWC, energy giant Shell (LON:RDSa) PLC and leading U.S. pension fund Calpers.

Government departments - including the U.S. Energy Department and the U.K. telecom regulator - have also been hit.

Many of the organizations stress that the target of the hack is the file transfer service, not their systems. But because their data is nonetheless stolen, it's little comfort to citizens, employees, clients and business partners whose information has been compromised.

It was working from public disclosures that Brett Callow of Emsisoft came up with the figure of 15 million individuals affected. But he said the true number was "likely much higher - and possibly much, much higher."

What's being done to stop them?

The wide-ranging and often indirect nature of the compromises has meant an avalanche of work for law enforcement and cybersecurity professionals.

"Everyone is overwhelmed," said Charles Carmakal, the chief technology officer at Mandiant, which was recently acquired by Alphabet (NASDAQ:GOOGL) Inc. In a message to LinkedIn he said that even the hackers were struggling with the workload.

© Reuters. FILE PHOTO: A man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/File Photo

"The past few weeks have been intense," he said.

The FBI said it was "aware of and investigating the recent exploitation of a MOVEit vulnerability by malicious ransomware actors." Earlier this month the U.S. government announced a $10 million reward for information linking cl0p - or any other hacking groups targeting American critical infrastructure - to foreign governments.

Latest comments

Risk Disclosure: Trading in financial instruments and/or cryptocurrencies involves high risks including the risk of losing some, or all, of your investment amount, and may not be suitable for all investors. Prices of cryptocurrencies are extremely volatile and may be affected by external factors such as financial, regulatory or political events. Trading on margin increases the financial risks.
Before deciding to trade in financial instrument or cryptocurrencies you should be fully informed of the risks and costs associated with trading the financial markets, carefully consider your investment objectives, level of experience, and risk appetite, and seek professional advice where needed.
Fusion Media would like to remind you that the data contained in this website is not necessarily real-time nor accurate. The data and prices on the website are not necessarily provided by any market or exchange, but may be provided by market makers, and so prices may not be accurate and may differ from the actual price at any given market, meaning prices are indicative and not appropriate for trading purposes. Fusion Media and any provider of the data contained in this website will not accept liability for any loss or damage as a result of your trading, or your reliance on the information contained within this website.
It is prohibited to use, store, reproduce, display, modify, transmit or distribute the data contained in this website without the explicit prior written permission of Fusion Media and/or the data provider. All intellectual property rights are reserved by the providers and/or the exchange providing the data contained in this website.
Fusion Media may be compensated by the advertisers that appear on the website, based on your interaction with the advertisements or advertisers.
© 2007-2024 - Fusion Media Limited. All Rights Reserved.