Victims of MOVEit Transfer Attacks Continue Piling Up

The Clop ransomware gang claims hundreds of organizations were compromised in its recent MOVEit Transfer attacks.

That’s according to Brett Callow, ransomware expert and threat analyst at Emsisoft. Earlier this month, several U.S. government agencies including the U.S. Department of Energy were hacked via a MOVEit Transfer software vulnerability.

So far, about 148 organizations have been compromised in MOVEit Transfer attacks, Callow said. And that number continues to climb.

Emsisoft’s Brett Callow

“Eleven of the 148 have confirmed the number of individuals whose personal information was compromised, which currently totals 16,212,552,” he said.

MOVEit Transfer Attacks Hit Public, Private Sectors

Among victims of MOVEit Transfer attacks are the U.S. Department of Health and Human Services, the U.S. Department of Energy, California Public Employees’ Retirement System (CalPER), the California State Teachers Retirement System (CalSTRS), EY and the BBC, Callow said.

In the Department of Health and Human Services attack, the attackers exploited the vulnerability in third-party vendors’ MOVEit Transfer software. The department will provide Congress with additional details as its investigation progresses.

Clop also listed Schneider Electric, based in France, and Siemens Energy, based in Germany, as companies from which it stole data in MOVEit Transfer attacks, according to Bleeping Computer.

Schneider Electric sent us this statement:

“On May 30, Schneider Electric became aware of vulnerabilities impacting Progress MOVEit Transfer software. We promptly deployed available mitigations to secure data and infrastructure, and have continued to monitor the situation closely. Subsequently, on June 26, Schneider Electric was made aware of a claim mentioning that we have been the victim of a cyberattack relative to MOVEit vulnerabilities. Our cybersecurity team is currently investigating this claim as well.”

Siemens Energy couldn’t be reached for comment.

Clop operates a website on the dark web, and have claimed responsibility for the MOVEit Transfer attacks on that website, Callow said.

“If organizations do not pay, Clop releases the data on their website so that it’s available to anybody who wants it,” he said. “They claim to have deleted any data relating to government or police agencies, but that claim is not believable.”

Clop has released data allegedly relating to multiple victims, Callow said.

“I’ve not accessed that data and do not plan to, hence the use of the word allegedly,” he said.

Attack Isn’t Over

Darren Guccione, CEO and co-founder at Keeper Security, said as we learn more about the potential victims and the data stolen, including bank account information, it’s clear this cyberattack isn’t over.

Keeper Security’s Darren Guccione

“In cases where personal information is stolen, threats from the data breach persist even after it’s been discovered and contained,” he said. “Current and former employees of any impacted organizations should take proactive steps to protect themselves from cybercriminals who may aim to use their personal information for identity theft and targeted attacks. The first step should be signing up for identity theft protection services and securing all online accounts with strong and unique passwords. A dark web monitoring service can alert you if your information shows up on the dark web so that you can take immediate action.”

Heath Renfrow, co-founder of Fenix24, said Clop has become increasingly active in double extortion tactics since its launch back in 2020.

Fenix 24’s Heath Renfrow

“It just unleashed one of the most prolific global cyberattacks in history … extorting hundreds of high-profile companies globally,” he said. “Clop was already very prominent, hitting 130 companies in February with the GoAnywhere MFT Secure File Transfer zero day.

U.S. critical infrastructure is made up of both government and private entities, and this presents a significant challenge, Renfrow said.

“There are thousands of different organizations all conducting cybersecurity their own way and within their own budgets,” he said. “This challenges the government to truly drive uniform change due to the lack of control and oversight. Perhaps an entity similar to the U.S. Securities and Exchange Commission (SEC) could be operationalized and given the authority to drive the cybersecurity makeup of the critical infrastructure entities. But even then, there comes the challenges of budget, technology stack chosen by each entity, manpower, etc. It’s an overall question of overarching authority to drive change—and the government must resolve this question first before addressing specific controls.”