Clop's MOVEit Campaign Affects Over 16 Million IndividualsOnly 7% of Approximately 150 Affected Organizations Have Shared Count of Victims
More victims of the Clop ransomware group's supply chain attack against popular file transfer software MOVEit continue to come to light. Security experts say about 150 organizations now appear to have been affected by the attacks, which compromised the personal data of over 16 million individuals.
Recently named victim organizations include healthcare software firm Vitality Group International, Talcott Resolution Life Insurance Company and the universities of Georgia, Johns Hopkins, Missouri, Rochester and Southern Illinois.
While the exact victim count remains unknown, researchers tracking victims posted by Clop to its data leak site - because they wouldn't pay a ransom - as well as data breach notifications now count at least 148 known victim organizations. Only about 11 victim organizations have so far issued breach notifications that quantify the number of affected individuals, which collectively adds up to the theft of over 16 million individuals' personal details, Brett Callow, a threat analyst at Emsisoft, tweeted Thursday.
More victims may well still come to light. The slow drip of names is part of Clop's extortion tactics. "We leak names slowly to give big companies time to contact us," the gang says on its data leak site.
Clop's extortion demands are simple: Pay a ransom in exchange for a promise to delete the stolen data and your organization will not get named on the data leak site. How many organizations acceded to those demands remains unclear.
Clop began targeting a previously unknown vulnerability in Progress Software's popular MOVEit file transfer software around May 27 and May 28. "Internet-facing MOVEit Transfer web applications were infected with a specific malware used by CL0P, which was then used to steal data from underlying MOVEit Transfer databases," the U.S. Cybersecurity and Infrastructure Security Agency and the FBI reported in a joint alert earlier this month.
Progress identified and patched the SQL injection flaw, designated CVE-2023-34362, on May 31. Shortly thereafter, the firm found and patched two more zero-day vulnerabilities, which attackers don't appear to have exploited.
Whether its attack campaign will amount to much more than just a nuisance remains to be seen. Of course, affected organizations will have to pay to investigate the breach and notify victims.
So far, CISA Director Jen Easterly reports, the agency hasn't seen - and doesn't expect to see - any "significant impacts" from Clop's "opportunistic" campaign. "Although we are very concerned about this campaign, this is not a campaign like SolarWinds that poses a systemic risk," Easterly told reporters earlier this month.
Victims that have already come to light in the U.S. government include the departments of Energy and Agriculture as well as the Office of Personnel Management. At the state level, victims include Maryland's Department of Health and Human Services, Minnesota and New York City's departments of education, and Louisiana and Oregon, both of which reported that attackers had stolen information for residents who have been issued a driver's license or state ID. In Britain, communications regulator Ofcom said it was affected, and in Canada, the government of province Nova Scotia reported being hit.
Organizations that fell victim to the campaign include UCLA, Siemens Energy, Extreme Networks, consultancies EY and PwC, the American Board of Internal Medicine, gas and oil giant Shell, and U.S. financial services firms 1st Source and First National Bankers Bank.
British payroll provider Zelle reported being breached by Clop, resulting in the compromise of information for eight of its customers including the BBC, the Boots pharmacy chain and British Airways.
Tennessee Consolidated Retirement System on Thursday reported it had been affected and information on 171,836 retirees or their independents had been exposed. The breach of TCRS data happened because third-party service provider PBI Research Services, which uses MOVEit, fell victim to Clop's campaign. Other affected PBI customers include Genworth Financial and California Public Employees' Retirement System, which manages the largest public pension fund in the U.S.
Clop claims in grammatically broken English to have deleted outright any data it stole from about 30 government agencies or contractors as part of the campaign, apparently to try and not make itself a national security target. "We are only financial motivated and do not care anything about politics," the group says on its data leak site.
The FBI and CISA are continuing to probe the attacks and assist victims. Bryan Vorndran, assistant director of the FBI's Cyber Division, has urged all organizations affected by the Clop campaign to alert the bureau if they have not already done so.