clOp hits companies worldwide with massive MOVEit supply chain hack

What happens next after a mega-level supply chain attack?
8 June 2023

The BBC is among several high-profile victims of the attack.

• MOVEit is a file sharing app used in the Zellis payroll system.
• A supply chain hack targets one program used by multiple organizations.
• The true scale of this supply chain attack has yet to be determined.

Organizations worldwide have had their data – and their staff’s data – compromised in the largest supply chain hack of 2023, and possibly, the largest such hack ever on record.

A supply chain hack is an attack that, rather than aiming for a single target, usually with ransomware in mind, instead inserts malware into a commonly used app or piece of software used by many different organizations. A similar – but significantly smaller – attack was launched on the London stock market earlier this year.

This time, the attack comes from the Russian-based clOp cybercrime group, and has hit lots of organizations both large and small. Malware was inserted into Progress Software’s MOVEit product, which usually delivers a secure way of moving files around an organization.

In particular, the product was part of the Zellis system – a specialist payroll services provider, based in the UK.

A large scale supply chain attack.

That’s significant in two ways. Firstly, a lot of high-profile companies, especially within the UK, use Zellis for their payroll processing. Three that have already grabbed headlines are the BBC (the UK’s national broadcaster of record), British Airways, one of the country’s leading airlines, and the Boots pharmacy chain, with 2,200 branches in the UK alone.

Between them, those companies have been notified that the details of 100,000 members of staff have been compromised, and unless an agreement is reached, will be released onto the internet – allowing any hacker, spoofer, phisher or other bad actor to perpetuate the harm of the hack almost indefinitely.

The attack is not limited to those three companies, though. Aer Lingus, an Irish airline, the Government of Nova Scotia in Canada, and the University of Rochester, New York, have subsequently come forward to acknowledge that they too are victims of the clOp attack – and it’s fully expected that others will join them as the days go by.

What has become clear over the few days since news of the attack broke though is that the group may have pulled off a hack too large for it to handle.

In a standard ransomware attack, the hackers tend to nominate an initial ransom amount, and then there’s a process of either negotiation or stand-off until something happens to the data – either it’s exposed, or flushed, or returned, and either some amount of money is exchanged or it isn’t.

This is not strictly speaking a ransomware attack though – it’s more akin to demanding money with menaces.

clOp has written a blog to more or less any company that has been using Zellis for its payroll function, announcing that they (the companies) have seven days (until June 14) to contact the hackers to begin negotiation of a sum that will stop the group publishing the details of staff onto their own site.

Conflicting incentives.

The exact nature of the vulnerable data changes from victim to victim – the BBC said it understood that staff ID numbers, dates of birth, home addresses and national insurance numbers of its staff had been compromised, while British Airways warned its staff that some may also have had their bank details stolen.

It’s details like this that make organizations with a concern for the welfare of their staff – lots of whom are already enduring a cost of living crisis and throat-punchingly high inflation – want to negotiate with the cybercriminals to avoid the data becoming the common currency of every hacker with a name or a living to make.

The neogtiations between organizations and cybercriminals have the tone of a data-based horror movie.

Naturally though, advice from the likes of the UK Cybersecurity Council is not to pay any ransom if one is demanded or suggested. There’s a strategic logic to that – as with bullies, blackmailers, and terrorists in the non-cyber world, giving them what they want only tends to encourage them to push their luck, regarding their victims as weak or desperate.

But strategic logic is likely to be cold comfort to the hundred thousand confirmed staff whose data is currently compromised, or the hundred thousand more worldwide who could be compromised through the Zellis payroll service.

A potentially expanding supply chain attack.

Almost as soon as the hack was confirmed, the US Cybersecurity and Infrastructure Security Agency issued a warning to all firms that have been using MOVEit, that they should download and install a security patch to avoid further breaches – because naturally, now clOp has a way in through that system, unless it’s patched, the group can continue to use their access to compromise ever more data.

Security scans reveal that thousands of company databases could still be at risk, as the take-up of the patch has been mind-bogglingly low considering the potential danger to available data.

In a rare moment of altruism, though, clOp has announced that government, city, and police services are outside the remit of its interest this time around.

It issued an addendum to its general “contact us to negotiate for your data” message, saying that data from those three times of organization had already been erased, and formed no part of the extortion plan.

This, as much as the inverted way the group has gone about seeking to monetize its mega-strike, has led analysts to believe the attack has become too big and too successful for clOp to handle.

The sheer amount of data collected, and the difficulty in grouping it coherently, looks to be giving the group an ironic issue faced by businesses in the legitimate world – too much data, insufficient data management.

Add to that the fact that there are very likely to be companies who are as yet unaware that they’re affected by the hack and it could become a logistical nightmare – as much for the hackers as for the companies who’ve been hacked.

What happens on the run-up to the communication deadline – and after it – will define how this enormous hack will eventually be remembered. Right now though, companies will be taking as much advice from their cyber-experts as possible about how to play this entirely unusual situation.