Ransomware gang haunted US firms long before MOVEit hack


Cybercrime experts say they first came to know of the group’s malware in 2019, when it launched a phishing campaign as part of a series of ransomware attacks against Korean companies and US academic institutions. — Dreamstime/TNS

Shell Plc, IAG SA’s British Airways, the British Broadcasting Corp, the state of Minnesota’s Department of Education, multiple federal agencies – they’re among the victims of the latest data breach launched by Clop, a Russian-speaking hacking group that’s attacking targets around the world in both the public and private sectors.

The Clop gang, also known as Cl0p, is known for "driving global trends in criminal malware distribution,” according to the US Cybersecurity and Infrastructure Security Agency, or CISA.

Clop has pulled off its latest breach by exploiting a weakness in MOVEit, a file-transfer product that companies and organisations use to transmit sensitive data. Once the hackers penetrated MOVEit, they could access data stored on MOVEit servers, a portal that’s enabled them to steal personal information from industry giants with tens of thousands of employees and government agencies that handle data, some of it sensitive, on millions of people.

The hacking group claimed it obtained data from hundreds of companies, and while that allegation is difficult to confirm, the list of victims keeps growing. For instance, the US Department of Energy received a ransom request from Clop after two of its entities were affected by the breach.

The Oak Ridge Associated Universities, which manages a contract with several of the department’s national laboratories, and the National Nuclear Security Administration, the agency arm that maintains the US nuclear stockpile, received the request but didn’t respond, a spokesperson for Oak Ridge said.

Another ransom request was received by an Energy Department arm affected by the hack, the Waste Isolation Pilot Plant, which stores nuclear waste underground in New Mexico, Reuters reported.

Clop is the name of a variant of ransomware, a type of malware used to encrypt a victim’s computer files in lieu of a payment. It is also the name of a financially motivated criminal gang that uses a variety of methods to extort its victims: by deploying ransomware and demanding payment; by stealing sensitive documents and threatening to post them online unless a payment is made; or both.

Clop has been honing just this sort of breach for years, researchers at Kroll LLC, a private-intelligence firm, have found.

It appears to be one of their signature attacks. A few years ago, Clop leveraged software flaws in a file-transfer product made by a company then known as Accellion to access data from Morgan Stanley, Jones Day, and Kroger among others. Accellion has since changed its name to Kiteworks.

Earlier this year, the group claimed credit for a hack on a different file transfer product called GoAnywhere, from Fortra LLC.

"This finding illustrates the sophisticated knowledge and planning that go into mass exploitation events such as the MOVEit Transfer cyberattack,” ones where intruders use a single point of vulnerability in an attempt to compromise as many victims as possible, the Kroll researchers said.

Cybercrime experts say they first came to know of the group’s malware in 2019, when it launched a phishing campaign as part of a series of ransomware attacks against Korean companies and US academic institutions. The list of targets soon expanded to include financial, insurance, manufacturing and communications companies across the world, according to Trend Micro, Inc, a cybersecurity firm.

By 2021, the group was flaunting its success. That February, its page on the dark web – known as a shaming site – included a long list of victims in places like the US, Singapore, and The Netherlands, security firm Mandiant Inc, reported.

In June of that year, Ukrainian police said they arrested multiple suspects who, they alleged, worked with Clop ransomware to extort organisations in the US and South Korea. According to law enforcement officials, the group fleeced victims out of US$500mil (RM2.3bil).

"The Clop ransomware group has been a persistent and damaging threat actor,” said Michael DeBolt, chief intelligence officer at Intel 471, a cyber threat intelligence firm. "The vulnerability used by the gang was unknown prior to the start of attacks, which put organisations using the software in a mostly defenceless position. The use of such a vulnerability before it is publicly known means Clop has the resources and ability to develop or acquire such capabilities.”

Like other Russian-speaking ransomware groups, Clop has avoided targets in former Soviet countries. In fact: its malware can't even breach a computer that operates primarily in Russian, the Korean cyber firm AhnLab has found.

But it hasn’t shown much restraint elsewhere. Clop has been known for targeting the health-care sector, and in 2022, it took credit for an attack on a UK company that supplies water to more than 1.5 million people.

In a statement on its dark web site at the time, the Clop group claimed it stole a trove of data and had gained access to systems that control chemical levels in the water. "If you are shocked it is good,” the group said. – Bloomberg

Follow us on our official WhatsApp channel for breaking news alerts and key updates!
   

Next In Tech News

Exclusive-Amazon likely to face investigation under EU tech rules next year, sources say
US natgas producers chase AI-driven surge in power demand to weather low prices
Snowflake shares surge on rosy forecast, AI deal with Anthropic
Digital banks lead profitability gains among Brazilian lenders, says central bank
PayPal fixes outage that affected thousands worldwide
X's former top policy chief takes job with Elon Musk rival, Sam Altman
Alibaba integrates e-commerce platforms into a single business unit
US watchdog issues final rule to supervise Big Tech payments, digital wallets
Nvidia to build AI school in Indonesia, VP says
A Google PC running Android could be in the works

Others Also Read