Today, the BBC reported a new development in the ongoing cyber attack on more than 90 organisations by the Clop hacking group. Organisations including Ernst and Young, Transport for London and the regulator Ofcom, in addition to Boots, BA and the BBC have confirmed that sensitive payroll data has been compromised. However, despite the threats made by the group earlier this month, it now appears that it may not have the data after all.
Clop began issuing threats on the 7th June, giving the companies it claimed to have compromised until the 12th June to pay up thousands of dollars in the form of Bitcoin or face the release of their confidential data onto the dark web. The deadline was extended to the 14th June for reasons that remain unclear. From that date the attackers did begin to release the names of victims onto a darknet site, and around 50 have so far been listed. It’s a global operation, with listed victims registered in the US, Canada, Europe, Australia and even Malaysia and Brazil.
However, to date none of the payroll data itself has been published. Furthermore, none of the most well-known victims’ names have been published either. According to the BBC, the hackers, via email have said:
We don’t have that data”
In perhaps the most famous attack involving third party software to date, it is thought that hundreds of organisations which used the file transfer tool MOVEit have had their data exfiltrated. That includes some very well known customers of payroll software company Zellis which was itself breached via the original vulnerability in MOVEit.
However, in an email exchange with the BBC, representatives of Clop repeatedly claimed that they had not stolen the data:
“We don’t have that data and we told Zellis about it. We just don’t have it. We are an old group and have never deceived anyone, if we say that we do not have information, then we do not have it,” said the attackers.
Zellis would not comment to the BBC due to the ongoing police investigation into the attack.
The claims by Clop raise several possibilities. The first is that the group stole the data to order for another group, or has subsequently sold it on, although Clop did claim that it “didn’t sell anything to other hackers.”
Another possibility is that another group has already stolen the data from Clop. Another, given the multiple vulnerabilities in MOVEit that have been identified since the original attack was disclosed on 31st May, is that another group stole it in the first place. Of course, another plausible explanation is that the group is lying, although its motivation for doing so at this point is unclear given than it rather weakens its negotiating hand.
On Friday, the US security services announced a reward of up to $10m for “information linking the Clop gang or any other malicious cyber actors targeting US critical infrastructure to a foreign government.”