Ransomware gang Clop, which has taken responsibility for the cyber attack launched against document transfer service MOVEit, has announced that it has not stolen data from companies thought to be impacted by data breaches linked to the attack. These companies include the UK’s British Broadcasting Company (BBC), British Airways and high street health and beauty retailer Boots.
Since June 14, Clop has been posting company profiles of companies allegedly impacted by data breaches caused by the cyber attack against MOVEit. These posts are an attempt to pressure victims into paying a ransom to the gang. So far, the names, company addresses and websites of almost 50 victims have been added to the site, but no confidential data has yet been leaked.
Of the companies named on the site, prominent British companies thought to have had data stolen during the breach of payroll provider Zellis – including the BBC, BA and Boots – were not included.
In emails exchanged with the BBC, Clop claimed to have never had access to this data, saying they even told Zellis that they had not breached these companies.
“We don’t have that data and we told Zellis about it. We just don’t have it. We are an old group and have never deceived anyone, if we say that we do not have information, then we do not have it,” the gang told the BBC.
When asked by the BBC for more information on the breach, Zellis said it could “confirm that a small number of [its] customers have been impacted by this global issue and [the company is] actively working to support them”.
How did the MOVEit cyber attack happen?
The cyber attack against MOVEit saw ransomware gang Clop exploit a critical zero-day vulnerability in MOVEit’s infrastructure. This allowed the malicious actors to break into multiple company networks and steal data.
The vulnerability was flagged by security researchers and the US government on June 1. The US Cybersecurity and Infrastructure Security Agency (CISA) urged all MOVEit clients to check for indications that malicious actors had gained unauthorized access to their networks over the past 30 days and to download and install the software patch released by MOVEit to address the issue.
On June 5, payroll provider Zellis announced that it had been affected by the MOVEit cyber attack, and that a “small number” of its customers had suffered data breaches as a result of this. These victims were originally thought to include the BBC, Boots and BA, however on June 21 Clop claimed that they never had access to this data.
A number of victims, including accounting firm PwC, British watchdog Ofcom and Health Service Ireland made statements in the days and weeks following the cyber attack that they had suffered a data breach linked to it.
Ransomware gang Clop later took ownership of the cyber attack by attempting to exploit its victims. In a post on the gang’s Telegram channel, the malicious actors demanded victims pay them by June 14, or their data would be released.
Starting from this day, they released information including company names, address and websites on their darknet site in an attempt to convince the victims to contact them and pay them money to not release their data.
A timeline of the MOVEit cyber attack
June 1: MOVEit’s vulnerability is flagged by cyber security researchers and the US government. MOVEit issues a patch for the software vulnerability.
June 5: Payroll provider Zellis announces that it was impacted by the MOVEit cyber attack. Companies including the BBC, Boots and British Airways suffer data breaches as a result.
June 7: Ransomware gang Clop issues a threat to victims to contact them by June 16, or their data will be posted online.
June 7: CISA and the FBI announces a US$10 million reward for “information linking the Clop gang or any other malicious cyber actors targeting US critical infrastructure to a foreign government”.
June 8: Professional services network and accounting firm, Ernst & Young (EY) announces that it was impacted by the MOVEit cyber attack. As a result, Health Service Ireland (HSE) suffered a data breach.
June 12: British communications watchdog Ofcom announces that it was a victim of the MOVEit cyber attack, causing a data breach that affected 412 employees.
June 14: Clop begins to post the profiles of companies allegedly breached during the cyber attack launched against MOVEit on its data leak website. Clop does not leak any of the stolen data.
June 19: Accounting firm PriceWaterhouseCoopers (PwC) announces it was impacted by the MOVEit cyber attack
June 21: Clop claims to not have access to data from the BBC, Boots and BA that was thought to be stolen in the MOVEit cyber attack