Boots, BA and BBC MOVEit attacks attributed to Clop cyber gang

Russian-based cyber gang Clop has laid claim to a series of major security breaches at organisations including British Airways, the BBC and Boots – which they were able to penetrate through a vulnerability in Progress Software’s MOVEit file transfer product used by HR and Payroll software provider Zellis.

The ransomware gang has also threatened to leak staff data – including home addresses, national insurance numbers and bank details on Wednesday 14 June if the ransom hasn’t been paid by this point – although employers are being urged not to pay out.

More than 100,000 staff at the BBC, British Airways and Boots have been informed that payroll data may have been taken.

Other known victims compromised via Zellis include the University of Rochester in the state of New York, and the provincial government of Nova Scotia in Canada.

Analysts at Microsoft first pointed the finger at Clop on Monday, based on the techniques used in the hack, which has since been confirmed by the gang via their message posted on its own dark web ‘leak’ site.

A BBC spokesperson said: “We are aware of a data breach at our third-party supplier, Zellis, and are working closely with them as they urgently investigate the extent of the breach. We take data security extremely seriously and are following the established reporting procedures.”

According to Simon Newman, advisory council member of International Cyber Expo the attacks represent a worrying trend, as big firms ramp up their cyber security forcing criminals to shift their focus onto supply chains “which are often long and complex”.

Cybersecurity expert Achi Lewis, area VP EMEA for Absolute Software, added that supply chains add additional risk to an organisation’s cyber protections by providing threat actors with an extra way in.

He said that supply chain attacks can be a “lucrative” attack method for cybercriminals due to the knock-on impact a breach can have on multiple targets.

“It represents an area of risk that organisations must factor into detection and prevention strategies,” he said.

Lewis advised firms to use remote controls to enable centralised teams to freeze and shut off compromised devices and applications to prevent further access to a network.

“Ensuring ongoing protection against recurring attacks is an important step in recovery, allowing staff to continue operations while protected and preventing weeks, months, or even years, of continual system damage,” he added.

GDPR

There are now strict penalties for breaches in data of this kind.

Ray Kelly, fellow at the Synopsys Software Integrity Group noted that it would be interesting to see how the EU, through its GDPR regulation, will assess fines for the various organisations involved in this incident “as the software supply chain aspect certainly complicates matters,” he added.

The National Cyber Security Centre is now working to fully understand the UK impact following the attack and the government body is encouraging organisations to take immediate action by “following vendor best practice advice and applying the recommended security updates.”

Meanwhile, a representative from Progress Software confirmed that it had “corrected” the vulnerability exploited by the hacker and “strongly” urges firms to apply the patch it has released.

To see what your firm can do to mitigate a ransomware attack, read out TI ransomware report here.