A group of Russian-speaking cyber criminals has claimed credit for a sweeping hack that has compromised employee data at the BBC and British Airways and left US and UK cybersecurity officials scrambling to respond.
The hackers, known as the CLOP ransomware gang, say they have “information on hundreds of companies.” They’ve given victims until June 14 to discuss a ransom before they start publishing data from companies they claim to have hacked, according to a dark web posting seen by CNN.
The extortion threat adds urgency to an already high-stakes security incident that has forced responses from tech firms, corporations and government agencies from the US to Canada and the UK.
The compromise of employee data at the BBC and British Airways came via a breach of a human resources firm, Zellis, that both organizations use.
“We are aware of a data breach at our third-party supplier, Zellis, and are working closely with them as they urgently investigate the extent of the breach,” a BBC spokesperson told CNN Wednesday. The spokesperson declined to comment on the hackers’ extortion threat.
A British Airways spokesperson said the company had “notified those colleagues whose personal information has been compromised to provide support and advice.”
The hackers — a well-known group whose favored malware emerged in 2019 — last week began exploiting a new flaw in a widely used file-transfer software known as MOVEit, appearing to target as many exposed organizations as they could. The opportunistic nature of the hack left a broad swath of organizations vulnerable to extortion.
Numerous US state government agencies use the MOVEit software, but it’s unclear how many agencies, if any, have been compromised.
The US Cybersecurity and Infrastructure Security Agency has ordered all federal civilian agencies to update the MOVEit software in light of the hack. No federal agencies have been confirmed as victims, a CISA spokesperson told CNN.
Together with the Federal Bureau of Investigation, CISA also released advice on dealing with the CLOP hack. Progress, the US firm that owns the MoveIT software, has also urged victims to update their software packages and has issued security advice.
CISA Executive Director for Cybersecurity Eric Goldstein said in a statement: “CISA remains in close contact with Progress Software and our partners at the FBI to understand prevalence within federal agencies and critical infrastructure.”
But the effort to respond to the cyber attack is very much ongoing.
The CLOP hackers are “overwhelmed with the number of victims,” according to Charles Carmakal, chief technology officer at Mandiant Consulting, a Google-owned firm that has investigated the hack. “Instead of directly reaching out to victims over email or telephone calls like in prior campaigns, they are asking victims to reach out to them via email,” he said on LinkedIn Tuesday night.
Allan Liska, a ransomware expert at cybersecurity firm Recorded Future, also told CNN: “Unfortunately, the sensitive nature of the data often stored on MOVEit servers means there will likely be real consequences stemming from the [data theft] but it will be months before we understand the full fallout from this attack.”