Ofcom Becomes the Latest Victim of MOVEit Supply Chain Attack

The UK’s broadcasting regulator, Ofcom, has revealed that it’s among the organisations whose data has been stolen in the massive MOVEit cyber attack.

In a statement, Ofcom said that a “limited amount” of confidential information was stolen by criminal hackers, although its own systems were not compromised. The data relates to certain companies whose practices Ofcom regulates, as well as 412 of its employees.

This is the latest in a series of cyber attacks exploiting a critical flaw in Progress Software’s MOVEit file transfer tool, which is used by thousands of organisations and as many as 3.5 million software developers.

The attacks have since been credited to the notorious Russian ransomware group Clop, which has threatened to publish the stolen data unless organisations contacted them to begin a ransom negotiation.

The deadline for that ultimatum passed yesterday, on 14 June, but there have been no further updates yet.

Does that mean that affected organisations complied with the request? Can we expect a trove of compromised information to be leaked online within the next 24 hours? Or are the cyber criminals, a group not known for their honesty, extending the deadline in the hopes that they’ll get a payout?

What happens now?

When an organisation falls victim to ransomware, it sparks the usual question: is it better to pay up and hope to avoid ongoing delays and reputational damage, or to take the noble course of refusing to negotiate with criminals?

Cyber security experts invariably recommend the second option – and not just because it’s the ethical thing to do. Yes, paying cyber criminals encourages them to launch further attacks and it might even fund those endeavours.

However, there are plenty of other reasons not to negotiate. You can’t be sure that the criminals will stick to their word and hand over the decryption keys once they’ve been paid.

Plus, you will still face delays as you negotiate and then decrypt your systems, meaning you might have been better off ignoring the demands and getting straight to your incident response plan.

Perhaps most importantly, you are still subject to your data breach notification requirements, and data protection authorities won’t be pleased to hear that you spent your budget paying cyber criminals rather than investing in preventive measures.

But the question of whether it’s right to pay up or not relies on one rather obvious issue, which isn’t as clear in this spate of MOVEit ransomware attacks as you might think: does the organisation know that it has fallen victim?

You can’t negotiate with cyber criminals if you were never told that you’ve fallen victim, and as Graham Cluley writes, “the challenge for some organisations who will have had their data stolen [in this attack] is that they may be entirely unaware that they were at risk”.

Tip of the iceberg

Although the likes of Ofcom have disclosed the attacks, plenty of organisations that use MOVEit won’t have sophisticated threat detection tools in place.

Indeed, many of them will only be affected because they used a third-party supplier such as Zellis – which uses the MOVEit tool – to manage their payroll.

Zellis confirmed that it had fallen victim earlier this month and said that it had taken steps to contain the damage.

“Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring,” it wrote.

“We have also notified the ICO, DPC, and the NCSC in both the UK and Ireland. We employ robust security processes across all of our services and they all continue to run as normal.”

However, it’s unclear how many of the organisations in Zellis’ supply chain were aware of the breach and whether their information was caught up in the attack.

So far, eight organisations, including British Airways, the BBC and the pharmacy chain Boots,  have publicly revealed that they have fallen victim, but according to Bleeping Computer, this is just the tip of the iceberg. As with previous Clop attacks on managed transfer platforms, there is likely to be “a long stream of company disclosures as time goes on”.

Clop, meanwhile, confirmed that it had stolen data from “hundreds of companies”, which were all subject to the 14 June deadline for negotiating a ransom.

However, the number of organisations embroiled in this attack is so large that the gang took the unusual step of not contacting individual organisations that it has compromised.

Instead, Clop posted a blackmail message on its dark web site telling any firm that didn’t want its breach to be made public to get in touch.

It’s possible, and perhaps even probable, that the majority of organisations did not respond to Clop’s demand because they had no idea that their information had been compromised.

Preparing for failure

As we pass Clop’s deadline for negotiations, we wait to see whether the gang will stick to its word and publish the stolen data or rethink its strategy.

The gang’s threat is certainly not an empty one; ransomware gangs often  publish stolen data online if negotiations fail in order to retain their authority. However, they would always prefer to extract money from their victims, and they remain wildly successful in doing this despite cyber security experts’ advice.

The unusual nature of this incident might tempt the gang to extend the deadline, giving it the chance to apply greater pressure on its targets. Clop has already pushed back its time limit once already, with the deadline being pushed back two days from 12 June last week.

Amid all this, Progress Software has identified other critical vulnerabilities in MOVEit, which it worked quickly to patch, along with the zero-day vulnerability the criminals exploited.

It’s therefore unlikely that victims will be subject to further breaches, although the compromised information must be disclosed whether they pay up or not.

If you are in any doubt about what to do next, we recommend seeking expert guidance. IT Governance offers a Cyber Incident Response service to help you recover from security incidents.

Our team of experts will review the breach, help you mitigate the damage and ensure that you are up and running again as soon as possible. From ransomware attacks to inadvertent data leaks, we can help you plot the right course to return to work with as little disruption as possible.