Cyber Crime Gang Threatens Data Publication: BBC & British Airways Among Victims

The notorious Clop group, believed to be based in Russia, issues an ultimatum to victims of the MOVEit hack, demanding contact before June 14 or risk data exposure.

A cybercrime gang believed to have originated from Russia, known as the Clop group, has issued a warning on the dark web to victims affected by the widespread MOVEit hack. They have given a deadline of June 14, threatening to publish stolen data if victims fail to email them.

Prominent organisations such as the BBC, British Airways and Boots have notified their employees that payroll data may have been compromised. Employers are being advised not to comply with any ransom demands from the hackers.

Clop has been previously suspected of orchestrating the hack, which was first reported last week. By exploiting the popular business software MOVEit, the criminals gained unauthorised access to the databases of numerous other companies, potentially impacting hundreds of organisations.

Microsoft analysts have now confirmed that Clop is indeed responsible for the hack based on the techniques employed. This confirmation was made in a lengthy blog post obtained by the BBC.

The blog post emphasises that companies using Progress MOVEit should be aware that their data may have been acquired through an exceptional exploit. It urges affected organisations to initiate negotiations with the hackers by sending an email to their darknet portal. The demand for victims to reach out directly to the hackers is an unconventional tactic, as ransom demands are typically sent via email. This approach may be due to the scale of the ongoing hack, which Clop is struggling to manage.

MOVEit, a file transfer software provided by Progress Software in the US, is widely used by businesses for secure internal file transfers. Zellis, a UK-based payroll services provider, was one of the affected users. Zellis confirms that data from eight organisations, including home addresses, national insurance numbers and bank details, has been stolen.

Several organisations, including the BBC, British Airways, Aer Lingus, Boots, Nova Scotia Government and The University of Rochester, have acknowledged the possibility of data theft. Experts advise individuals not to panic and urge organisations to conduct security checks recommended by authorities such as the US Cyber Security and Infrastructure Authority.

Clop claims to have deleted data from government, city and police services on their leak site, stating that they have no intention of exposing such information. However, experts remain sceptical and warn against trusting the criminals' claims. Clop has been closely monitored by cybersecurity experts and is predominantly active in Russian-speaking forums. While Russia denies providing a safe haven to ransomware gangs, Clop operates as a "ransomware as a service" group, allowing hackers to rent their tools for attacks from anywhere.

In 2021, alleged members of the Clop group were apprehended in Ukraine through a joint operation involving Ukraine, the US, and South Korea. Authorities believed they had dismantled the group responsible for extorting $500 million globally. However, Clop has proven to be an enduring and persistent threat.

• The Clop cybercrime gang believed to be based in Russia, has issued an ultimatum to victims of the MOVEit hack, demanding contact before June 14 or face data publication.

• Major organizations, including the BBC, British Airways and Boots, have warned their staff about potential payroll data theft.

• Employers are advised not to comply with any ransom demands.

• Clop exploited the MOVEit software to gain access.