But now cybersecurity researchers are warning that this incident is far from over — the issue is much wider than previously thought and there are still serious consequences to come.
The Russian cybercriminal gang Clop has been active since February 2019, surviving many challenges, including server raids by Ukrainian police in June 2021, which included arrests of multiple Ukrainian hackers working for them. Clop has so far successfully attacked at least 230 firms, according to cybersecurity researchers.
Cyber attack targeted Windows’ security flaw
The attack occurred due to Zellis falling victim to a cyberattack via one of their third-party suppliers, a cloud storage “Dropbox for enterprises” service called MOVEit. MOVEit was running Microsoft’s Windows server applications and the hackers found a security flaw in these applications and used it as a door to Zellis’s payroll data.
However, MOVEit’s owner Progress says that they have more than 100,000 customers around the world. While we don’t know exactly how many are using the MOVEit software, this means that the issue potentially affects many more victims than we know of, because other companies could be using the software to store confidential corporate information in the cloud.
“Anyone that is running the MOVEit software should assume they might have been breached,” Rick Holland, the chief information security officer at global cybersecurity firm ReliaQuest told The Standard.
“Hopefully, everyone has kicked in their incidence response. According to our research, there are more than 1,000 servers [in the world] running unpatched versions of the software.”
He added that Clop essentially has a “treasure trove” of stolen information to sift through. They will go after large organisations that have the money to pay, but it could take a while before victims are notified or discovered that their data is compromised.
Huge risk of employee details being exposed online
Potentially tens of thousands of BBC employees could have been affected by the Zellis data breach
/ PA ArchiveUnfortunately, the Zellis cyberattack news is far from over — not for Zellis, Progress, or the tens of thousands of BBC, British Airways, Boots, and Aer Lingus employees, Mr Holland warns.
Clop has a website on the Dark Web where it routinely uploads data dumps from the companies it has breached. It has been reported in the media and by some researchers that Clop are ransomware attackers, but the gang are not using malware to lock up computers, with the threat of deleting the data if a Bitcoin ransom is not paid.
The fact that the BBC, British Airways, Boots, and Aer Lingus are not yet listed on the website shows that Clop, which are extortionists, are likely now in negotiation with these firms, according to Mr Holland. The gang makes money by threatening to expose confidential company data if it doesn’t get paid.
“Clop wants to negotiate with them. Typically, the way they work is to set up a chat and email function with the company and say, ‘Hey, pay us,’. Their first move is to negotiate,” he explains.
The Standard has contacted Zellis, Progress, BBC, British Airways, Boots, and Aer Lingus for comment.
You might not even know you’ve been hacked
The other big issue is that, even if your firm has a good security team that has kicked into action and patched the Windows Server flaws for your servers that connect to the MOVEit software, they might still struggle to detect whether Clop has been by to pay a visit.
In order to detect a data breach, enterprises really need to be checking their server logs for the past 90 days, advises Mr Holland. Typically, many companies only keep 30 days’ worth of logs, which are then wiped, including’s ReliaQuest’s own customers.
Christopher Budd, senior manager for threat research at British cybersecurity firm Sophos, agrees: “It’s important to note that patching will not remove any webshells or other artefacts of compromise. This makes it critical that MOVEit customers include a check for compromise after deploying patches in addition to deploying patches. Patching alone is not sufficient.”
Clop used SQL injection attacks, which are a type of zero-day vulnerability.
“SQL injection is a command and many customers don’t have enough historical server logs pertaining to their file transfer service provider,” explains Mr Holland.
“Clop is a dangerous ransomware group and was one of the earlier adopters of extorting stolen data, not just pure-play ransomware. Given their propensity to exploit zero-day vulnerabilities, they demonstrate a technical capability beyond many extortion groups.”
Unfortunately, no-one can prevent zero-day vulnerability attacks, warns Mr Holland: “How quickly you respond and mitigate are the most viable courses of action. Rapid patching, abundant logging, and security monitoring are the best bets.”
