MOVEit Hack: Over 400 Organizations’ Sensitive Data Stolen by Clop Ransomware Group

The Russian ransomware group ‘Clop’ exploits a flaw in Progress Software’s MOVEit product suite in late May to steal data from unprotected networks.

According to German cybersecurity research firm KonBriefing, as of now, the MOVEit hack has affected 421 organizations and 22 million people.

Number of Affected Organisations By Country || Source: KonBrefieng

Here is a comprehensive list of all the victims.

The criminal behind the hack, renowned for using the CL0P ransomware, have access to a vast amount of information that might be used in phishing and business email compromise (BEC) attacks.

Most of the MOVEit hacks appear to have occurred between May 30 and May 31, when CL0P targeted a zero-day vulnerability in MOVEit that was tracked as CVE-2023-34362.

“While this may not be in the same league as the SolarWinds incident, it’s nonetheless one of the most significant hacks of recent years,” Emsisoft Threat Analyst Brett Callow.

Impacts on the Organization

The number of organizations that were impacted includes both those that were directly impacted and those that were indirectly harmed.

In this regard, UK-based Zellis, a payroll and HR firm, suffered a direct impact while big organizations that rely on Zellis’ services, including the BBC and British Airways, suffered an indirect impact.

The US Department of Energy, other federal institutions, and large firms, including Shell, a leading energy provider, Deutsche Bank, PwC, and TJX Companies, a leader in the retail industry, were all impacted.

Additionally, Marshalls, HomeGoods, HomeSense, and Sierra are among the retail brands owned by TJX.

Emerson is another industrial corporation that has acknowledged being the target of the MOVEit attacks. Last week, the company said that “no data containing sensitive information impacting our business or customers was accessed.”

He further emphasized that no other IT applications or infrastructure were accessed or in any other way impacted, just the system hosting the MOVEit software was.

Siemens Energy and Schneider Electric have also been impacted. The cybersecurity company Netscout is also included on the Cl0p website, although it has not released any remarks yet.

Several German banks as well as the photo-sharing website Shutterfly have acknowledged being attacked.

On its leak website, the CL0P organization keeps listing new purported victims of the MOVEit attacks.

The industrial giant Honeywell has now been added to the list after it admitted that certain personally identifiable information was obtained via the MOVEit app in a statement released in mid-June.

“As well as students who were enrolled in previous years,” Emsisoft stated of the National Student Clearinghouse, which handles data for 17.1 million students now enrolled in 3,600 colleges and universities, accounting for 97% of current postsecondary enrolment in the United States.

Number of Individuals Affected

The number of people whose personal information – usually Social Security numbers – was compromised: Fidelity & Guaranty Life Insurance Co., 873,000 victims; 1st Source Bank in Indiana, 450,000 victims; Franklin Mint Federal Credit Union in Pennsylvania, 141,000 victims; TSG Interactive US Services Limited, which operates as PokerStars, 110,291 victims; Athene Annuity and Life Company in Iowa, 70,412 victims; and Massachusetts Mutual Life Co., aka MassMutual, 242 victims.

The ransomware group has begun disseminating files that were taken from several businesses that declined to pay. The hackers assert that they deleted all information taken from the affected government entities. 

According to The Wall Street Journal, Progress Software is dealing with at least 13 lawsuits alleging that the MOVEit flaw was caused by inadequate security.

The security firm Emsisoft said, “To make matters worse, the potential for misuse of the stolen information is significant.”

“And it’s not only how CL0P may misuse the information that’s a concern. Once it’s released online, it becomes available to the global community of cyber-miscreants to use in BEC schemes, identity fraud, etc.”

MOVEit vendor Progress Software, located in Massachusetts, fixed the vulnerability on May 31 to stop additional intrusions.

“To our knowledge at this time, none of the vulnerabilities discovered after the May 31 vulnerability have been actively exploited”, the company said.

The general opinion among experts is that it is simply too early to estimate the entire scope of the MOVEit data breaches. In the upcoming weeks, there will undoubtedly be more victims identified.

Here is the curated list of IOCs, infrastructures, and resources shared.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.