MOVEit Hack Compromised Data at Around 600 Organisations Globally; Fallout Is Only Beginning: Cyber Analysts

The digital extortionists involved in the MOVEit hack, a group named "cl0p", have become increasingly aggressive about thrusting the stolen data into the public domain.

By Reuters | Updated: 8 August 2023 18:16 IST

Highlights

Hacks by groups like cl0p occur with a numbing regularity
The tallies show that nearly 40 million people have been affected so far
A group named "cl0p", have become increasingly aggressive

MOVEit Hack Compromised Data at Around 600 Organisations Globally; Fallout Is Only Beginning: Cyber Analysts

MOVEit is used by organizations to ship large amounts of often sensitive data

Photo Credit: Pexels

A hydra-headed breach centered on a single American software maker has compromised data at about 600 organizations worldwide, according to cyber analyst tallies corroborated by Reuters.

But more than two months after the breach was first disclosed by Massachusetts-based Progress Software, the parade of victims has scarcely slowed. The tallies show that nearly 40 million people have been affected so far by the hack of Progress' MOVEit Transfer file management program. Now the digital extortionists involved, a group named "cl0p", have become increasingly aggressive about thrusting their data into the public domain.

"We are just in the very, very early stage of this," said Marc Bleicher, chief technology officer of the incident response firm Surefire Cyber. "I think we'll start to see the real impact and fallout down the road."

India Saw Massive Surge in Ransomware, IoT Cyber Attacks in H1 2023: Report

MOVEit is used by organizations to ship large amounts of often sensitive data: pension information, social security numbers, medical records, billing data, and the like. Because many of those organizations were handling data on behalf of others, who in turn got the data from third parties, the hack has spiraled outward in sometimes convoluted ways.

For example, when cl0p subverted the MOVEit software used by a company called Pension Benefit Information, which specializes in locating surviving family members of pension fund holders, they gained access to the data of the New York-based Teachers Insurance and Annuity Association of America, which in turn manages pension programs for 15,000 institutional clients, many of whom have spent the past weeks notifying employees of their exposure.

"There's this domino effect," said Huntress Security's John Hammond, one of the earliest researchers to start tracking the breach.

Parliamentary Panel Suggests Setting Up Framework to Deal With Cyber Crimes

Hacks by groups like cl0p occur with numbing regularity. But the sheer variety of victims of the MOVEit compromise, from New York public school students to Louisiana drivers to California retirees, has made it one of the most visible examples of how a single flaw in an obscure piece of software can trigger a global privacy disaster.

Christopher Budd, a cybersecurity expert with the British firm Sophos, said the breach was a reminder of how interdependent organizations were on one another's digital defenses.

Progress said it had been the victim of "an advanced and persistent cybercriminal group" and that its focus was on supporting its customers.

US SEC Set to Adopt New Cyber Rule, Unveils Brokerage AI Proposal

'THOUSANDS OF COMPANIES

Cl0p's hacking campaign began on May 27, according to two people familiar with Progress' investigation.

Progress first got wind of the compromise the next day, when a customer alerted the firm to anomalous activity, these sources said. On May 30 the company sent a warning, and the next day issued a "patch", or repair, which partially thwarted the hackers' campaign.

"Many organizations were in fact able to deploy the patch before it could be exploited," said Eric Goldstein, a senior official at the US Cybersecurity and Infrastructure Security Agency.

Not all organizations were so lucky. Details on the amount of stolen material or the number of organizations affected are not publicly available but Nathan Little, whose firm Tetra Defense has responded to dozens of MOVEit-related incidents, estimated the breach likely affected thousands of companies.

"We may never know the exact detailed number," he said.

Some analysts have tried to keep track. As of Sunday, cybersecurity firm Emsisoft had totaled up 597 victims with 39.7 million people affected.

German IT specialist Bert Kondruss has come up with similar figures, which Reuters corroborated by cross-checking them against public statements, corporate filings, and cl0p's posts.

WHO HAS BEEN EXPOSED?

Educational organizations - colleges, universities, and even New York City public schools - made up a quarter of the victims, with Emsisoft and Kondruss counting more than 100 in the US alone.

The exposure has gone well beyond academia.

Drive a car? The Louisiana and Oregon motor vehicle authorities collectively disclosed the compromise of around 9 million records. Retired? Pension management organizations such as the California Public Employees' Retirement System and T. Rowe Price were breached via Pension Benefit Information. The breach at US government contractor Maximus alone resulted in the compromise of between 8 to 11 million people's records.

A tenuous silver lining? The hackers may have ingested too much data to release it all.

Alexander Urbelis, senior counsel with New York-based law firm Crowell & Moring, which has helped victims gauge their exposure to the hackers' dragnet, said extraordinarily slow download speeds from the hackers' creaky darknet website "made it all but impossible for anyone" - whether well-intentioned or otherwise - "to access the stolen data."

Goldstein, the US official, said in "in many cases" data had yet to be leaked.

Cl0p, which didn't return Reuters' messages, seems to be trying to up its game. Late last month it created websites specifically intended to better spread stolen data. Earlier this week it started sharing the data via peer-to-peer networks.

That's bad news for the victims, said Surefire's Bleicher.

"Once this data starts to be slowly leaked, it shows up more on the underground," he said. The impact of the breach in turn "will probably get much larger than we think it is now."

From the launch of the Infinix GT 10 Pro to Amazon's latest mega-sale, we discuss the most noteworthy technology news events of the week on the latest episode of Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.

Affiliate links may be automatically generated - see our ethics statement for details.

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.