Hackers exploited a vulnerability in MOVEit Transfer software last week to access a range of information which is now casting a cloud over a growing number of UK firms and their staff.
The NCSC highlighted the threat from ‘hostile nation states’
The BBC, British Airways and Boots have been caught up in a cyber incident that has exposed employee personal data, including bank and contact details, to hackers.
A ransonware group named Clop has claimed responsibility for the breaches centered around the MOVEit file transfer software.
In an email to Reuters on Monday, the hackers said “it was our attack” and that victims who refused to pay a ransom would be named and shamed on the group’s website.
Work by Microsoft had earlier suggested that the Russian-speaking ransomware gang was behind the attack.
It emerged last week that a so-called zero-day vulnerability – a flaw – in the file transfer system MOVEit, produced by Progress Software, had been exploited by cyber criminals.
It had allowed the hackers to access information on a range of global companies using MOVEit Transfer.
Thousands of firms are understood to be affected.
UK-based payroll provider Zellis confirmed on Monday that eight of its clients were among them.
It did not name the organisations.
BA, however, confirmed it had been caught up in the affair.
The airline employs 34,000 people in the UK.
The BBC and Boots, which has 50,000 staff, said they had been affected too.
The broadcaster did not believe its employees’ bank details had been exposed though company ID and national insurance numbers were compromised.
LONDON, ENGLAND – MARCH 2019: Boeing 777 long haul airliner operated by British Airways taxiing for take off at London Heathrow Airport past tail fins of the company’s other aircraft.
Image: BA and Boots are both clients of payroll specialist Zellis, which has cut its link to MOVEit
Analysis: Origins ‘appear to have Russian links’
Experts said corporate victims could expect the group responsbile to make contact with a list of demands within weeks.
In this instance, the compromised information included contact details, national insurance numbers and bank details.
BA told Sky News: “We have been informed that we are one of the companies impacted by Zellis’s cybersecurity incident which occurred via one of their third-party suppliers called MOVEit.
“Zellis provides payroll support services to hundreds of companies in the UK, of which we are one.
“This incident happened because of a new and previously unknown vulnerability in a widely used MOVEit file transfer tool. We have notified those colleagues whose personal information has been compromised to provide support and advice.”
A Boots spokesperson said: “A global data vulnerability, which affected a third-party software used by one of our payroll providers, included some of our team members’ personal details.
“Our provider assured us that immediate steps were taken to disable the server, and as a priority we have made our team members aware.”
Zellis said in its own statement: “A large number of companies around the world have been affected by a zero-day vulnerability in Progress Software’s MOVEit Transfer product.
“We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them.
“All Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate.
“Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring.”
Charles Carmakal, chief technology officer at Google cyber security specialist Mandiant Consulting, said: “At this stage it is critical for victim organisations to prepare for potential extortion, publication of stolen data, and victim shaming.
“It is likely that the threat actor will soon begin to make contact with extortion demands and begin to work through their list of victims.
“Mandiant’s investigations into prior campaigns from the suspected threat actor show that extortion demands are usually in the 7- or 8-figure range, including a few demands for more than $35m.
“Any organisation that had the MOVEit web interface exposed to the internet should perform a forensic analysis of the system, irrespective of when the software was patched,” he warned.
“Watch out for scammers too. Some of our clients impacted by the MOVEit exploitation received extortion emails over the weekend.
“The extortion emails were unrelated to the MOVE it exploitation and were just scams, but organisations could easily confuse them as being authentic.”