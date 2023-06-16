Comment on this story Comment Gift Article Share

A criminal hacking group known as Clop has exploited a security flaw in a file transfer tool, stealing data from dozens of companies and organizations primarily in the US and Europe. The oil giant Shell Plc and IAG SA’s British Airways are among the victims, along with US government agencies, banks, manufacturing firms and universities. The hacking involves demands for ransom payments but doesn’t involve ransomware.

1. What’s the MOVEit hack?

MOVEit is a file-sharing software from Progress Software Corp., which says it’s designed to enable “secure collaboration and automated file transfers of sensitive data.” However, the hacking group Clop discovered a previously unknown vulnerability in MOVEit and exploited it to steal data from companies and organizations that were using the tool. The US Cybersecurity & Infrastructure Security Agency warned on June 1 that the security vulnerability could be exploited to “take over an affected system.” Cybersecurity experts have so far identified about 50 companies and organizations that have been victims of the breach. The hackers claim there are many more. In a statement posted on their dark web page last week, Clop invited victims to reach out and negotiate. “We have information on hundreds of companies so our discussion will work very simple,” the gang said, claiming it had downloaded “a lot of your data as part of exceptional exploit.”

2. What is Clop?

The name of a ransomware variant that has been deployed against companies and organizations around the world, it’s also used frequently in reference to the hacking gang most closely associated with that variant. Clop’s Russian-speaking members have been among the most prolific cybercriminal gangs in recent years, causing hundreds of millions of dollars of damage internationally, according the cybersecurity firm Trend Micro Inc.

3. What’s different about this type of cyberattack?

In the MOVEit attacks, the gang hasn’t used ransomware — malicious software deployed to encrypt computers so they cannot be operated unless their owners make a payment. Instead, the group has stolen internal data from computer systems and demanded that victims pay money to prevent the gang from publishing the data online.

4. How have targets responded?

It’s not known whether any of the MOVEit victims have paid a ransom. A spokesman for Shell said the company was not communicating with the hackers. “There is no evidence of impact to Shell’s core IT systems,” the spokesman said. German printing and packaging company Heidelberg, another of the victims, said the incident was countered and didn’t lead to a data breach. Meanwhile, British Airways said the hackers had accessed employees’ personal information, including names, surnames, dates of birth and potentially banking details, according to a spokesperson for the carrier, which employs around 35,000 people.

5. How is payment made?

Hackers usually negotiate a cryptocurrency payment with their victims. According to an April report from cybersecurity firm Coveware, the average ransom payment is about $327,883. The US government urges victims not to pay the hacking gangs any money, saying that doing so can violate sanctions and result in civil penalties.

6. What can be done?

On May 31, Progress released an update that fixed the security flaw exploited by the Clop hackers. However, since then further security vulnerabilities in MOVEit have been discovered. On June 15, Progress advised its customers to disconnect their MOVEit installation from the internet after another flaw was discovered. The company then issued a patch.

