Hacker gang Clop deploys extortion tactics against global companies

The Russian-speaking gang of hackers that compromised UK groups such as British Airways and the BBC has claimed it has siphoned off sensitive data from more institutions including US-based investment firms, European manufacturers and US universities.

The group that calls itself Clop, after the Russian word for bedbugs, added German industrial group Heidelberg; Kansas-based Putnam Investments, with $168bn under management; and Leggett & Platt, a $4bn manufacturer in Missouri, to a list of companies it claims to have hacked.

Eight other companies this week made it on to Clop’s list on the dark web. That adds to the news last week that UK groups, including Walgreens-owned Boots, informed employees that their data had been compromised. The issue, first uncovered on May 31, also targeted customers of Zellis, a UK-based payroll provider that about half of the companies on the FTSE 100 uses.

“This is a pretty nasty, and pretty big, incident,” said Ciaran Martin, chair of CyberCX UK who helped found the national cyber security centre. “These companies in good faith were using a service that they trusted.”

The hacking group is pushing for contact with the companies on the list, according to a post on Clop’s dark web site, as the gang demands a ransom that cyber security experts and negotiators said could be as much as several million dollars. Clop is threatening to release sensitive information unless the companies agree to pay “substantial” sums.

A person responding from Clop’s email account declined to comment.

More corporate names are likely to be added over the next few days. Security researchers said Clop took two weeks to disclose a full list of names in a previous hacking campaign. The Clop hackers have set themselves apart, adopting sophisticated methods that go beyond malware-laced emails.

The latest hack exploited a weakness in a “secure” piece of file-transfer software used by hundreds of companies, highlighting businesses’ vulnerability in the face of sophisticated cyber attacks that target flaws in their software supply chain.

Heidelberg, which makes machines for mass-printing, said it was aware of the attack on its system, which “was countered fast and effectively and based on our analysis did not lead to any data breach”.

Putnam and Leggett did not respond to requests for comment.

Investigators have said Clop has emerged as a ransomware operator with technical expertise and strategic patience.

“They have a level of operational acumen that is uncommon,” said Jeremy Kennelly, who studies financial crimes at Google-owned Mandiant, a cyber security company. At the same time, he said, their tactics show Clop understands how and where businesses store their valuable data, before stealing it.

Little is known about Clop other than how they operate. Kennelly and other researchers say some of their code and metadata use Russian, they often stop work over Russian Orthodox holidays and avoid attacking Russian-speaking countries.

Clop hackers over recent months gained access to personal data by breaking into MOVEit, file-transfer software made by engineers at Progress Software.

They then bided their time, spending months investigating the cyber defences of the target companies that pay Progress to secure their data before attacking many companies simultaneously. Some evidence shows Clop had run tests months earlier.

Progress Software, a $2.7bn US company, informed customers on May 31 that it had discovered the same weakness, and issued an emergency fix. It declined to comment further, saying that it was co-operating with US authorities.

“The earliest (breach) we found was on May 27,” said Steven Adair, chief executive of US-based Veloxity, a cyber security company, which was doing first response work at several of its clients. “But there might be others who may have been getting exploited for God knows how long.”

This is Clop’s third known campaign of hunting down the secured data of organisations. Two in the past yielded millions of dollars, researchers estimate, and the names and data of those who refused to pay — from Bombardier to Stanford University — are still available on its dark web leaksite.

Clop’s well-established modus operandi, nicknamed “hack-and-leak”, supposedly sees it delete the data of those who pay, with the price of the transaction varying by company. Intellectual property is some of the most valuable, while personal data is often considered the least valuable.

“That’s an interesting dance,” said Don Smith, vice-president of Secureworks Counter Threat Unit, a cyber security firm. “If they suddenly list a victim and dump their data, they’ve backed themselves into a corner. They’re not getting any money from that victim anymore.”