MOVEit Breach: Hackers Threaten BA, Boots and BBC with Ultimatum 

Clop, the cyber gang thought to be behind this week’s MOVEit breach, has issued its victims with an ultimatum to negotiate or have their hacked information leaked online. 

The suspected Russia-linked hacker group, which stole employee bank details and sensitive information from global organisations including  British Airways (BA), Boots and the BBC, threatened to publish victims’ stolen data if their deadline is not met

In a notice published on the dark web, it urged organisations affected by the hack to send an email to the gang and begin a negotiation on the crew’s darknet portal. 

“This is an announcement to inform companies using the Progress MOVEit product that the chance is that we are downloading a large portion of your data as part of an exceptional exploit.”

A zero-day vulnerability in the MOVEit code enabled criminals to access the file transfer platform’s servers and the personal and financial data of its client’s employees.

Payroll software company Zellis - which used the MOVEit software that resulted in BA, BBC and Aer Lingus staff having their data accessed - said eight of its customers were hit but did not name them.

More than 100,000 BBC, BA, BBC and Boots staff have been warned that their data may have been stolen. More global victims are still emerging, including Aer Lingus, the Nova Scotia Government and the University of Rochester in New York. 

Other Zellis customers include Jaguar Land Rover, Harrods and Dyson. Potentially hundreds of companies using the popular MOVEit business software may be impacted.

A MOVEit spokesperson said: "Our customers have been, and will always be our top priority. When we discovered the vulnerability, we promptly launched an investigation, alerted MOVEit customers about the issue and provided immediate mitigation steps."

"We are continuing to work with industry-leading cybersecurity experts to investigate the issue and ensure we take all appropriate response measures. We have engaged with federal law enforcement and other agencies with respect to the vulnerability."

‘Do not worry, we erased your data’

As well as compromising sensitive data belonging to several companies around the world, Clop also claims on its leak site that it was able to access data from the public sector. 

But, in a bid to prevent the involvement of law enforcement, however, it claimed in its notice to have deleted all data relating to public sector organisations and government, city or police services.

Do not worry, we erased your data you do not need to contact us. We have no interest to expose such information

Experts aren’t convinced, however. Brett Callow, threat researcher from Emsisoft told the BBC that these sorts of claims “should be taken with a pinch of salt” 

“If the information has monetary value or could be used for phishing, it's unlikely that they will simply have disposed of it," said Callow. 

Cybersecurity experts have long tracked the exploits of Clop, which is thought to be based in Russia as it mainly operates on Russian-speaking forums.

In 2021, hackers alleged to belong to Clop were arrested in Ukraine in a joint operation between Ukraine, the US and South Korea.

At the time, authorities claimed to have taken down the group which they said was responsible for extorting $500m from victims around the world. But Clop remains a threat to organisations around the world.

To read more about cyber attacks, visit our dedicated Business Continuity Page. 

Taking place from 20 to 22 June 2023, Infosecurity Europe keeps you connected with everyone in information security. The brightest minds, from engineers to innovators.

Learn about more than just the technology. Hear from, and network with, the people who make up our community, exchange ideas, build resilience and be able to work together to protect our shared future.

REGISTER NOW for Infosecurity Europe and enhance all areas of your cybersecurity!