Shell reveals customers impacted in MOVEit attack


Shell Global is attempting to reach customers whose personal information may have been exposed during the recent Cl0p zero-day attack on the MOVEit file transfer system.

The oil and gas giant posted a breach notice on its corporate website boldly labeled “Important information about MOVEit Transfer cyber security incident.”

“We are trying to contact you about a cyber security incident that has resulted in the disclosure of some of your personal information,” the notice reads.

ADVERTISEMENT
Shell MOVEit web notice2
shell.com

The notice continues, ”A cyber security incident that has impacted a third-party software from Progress called MOVEit Transfer, which was running on a Shell IT platform.”

The company states that MOVEit Transfer was used by a “small number of Shell employees and customers.”

“Some personal information relating to employees of the BG Group has been accessed without authorization,” Shell states.

On June 15th, Shell had confirmed to Cybernews that some of their systems were impacted by the Cl0p MOVEit spree.

That same day, Shell.com was listed at the top of Cl0p’s dark leak site, making Shell the first victim to be named out of hundreds of companies suspected to be affected by the breach.

In the notice, Shell also denies the incident was part of a ransomware event.

Shell had told Cybernews in June it had in no way "engaged" with the Cl0p gang at any point in the aftermath of the MOVEit hack.

ADVERTISEMENT

This was not a ransomware event. There is no evidence of impact to any other Shell IT systems. Our IT teams are investigating,” the company said.

Shell then provides a list of toll-free phone numbers, covering twelve different countries, for its customers and employees to call “for more information on your situation.”

Shell customer contact MOMEit attack
Shell.com

Additionally, below the list of toll-free numbers, the company also provides an alternative contact form for individuals to fill out so “a member of our team will get in touch.”

Cl0p and the MOVEit attacks

In a letter posted to its victims, Cl0p – who is said to have exploited the MOVEit zero-day bug via SQL database injection – threatened to release the names of its victims and publish compromised data if the companies did not pay an undisclosed ransom amount by June 14th.

Soon after, Cl0p claimed to have posted data stolen from Shell Global, accusing the company of non-negotiations.

On Cl0p’s dark leak site for Shell, the gang posted “Files Part 1” and an apparent web link to conduct a secure and remote file transfer of the stolen data, followed by almost two dozen separate zip files, labeled Download 1 through Download 23.

Shell data posted MOVEit hack
Cl0p leak site

MOVEit Transfer is a managed file transfer software system used by thousands of companies around the world to send and receive files from their clients using secure channels.

ADVERTISEMENT

In a “who's who” of victims, PWC, Ernst & Young, Sony, Siemens Energy, UCLA, and the NYC school systems have all admitted to being affected by the attacks.

The US Department of Energy and Health and Human Services were among several government agencies affected in the hack, prompting the White House to issue a $10 million reward for any information leading to a Cl0p arrest.

It’s the second time the second time Shell Global has been impacted in a hack claimed by the ransom gang.

This spring, Cl0p claimed responsibility for another similar high-profile zero-day attack involving the Fortra Go Anywhere file-sharing platform.

Shell Global was first named as a Cl0p victim in those attacks.

Besides Shell, the GoAnywhere hack breached dozens of organizations using the third-party file-sharing system, including Procter & Gamble (P&G), Hitachi, Rubrik, and Virgin.

Cl0p operates under the Ransomware-as-a-Service (RaaS) mode, which means it rents the software to affiliates for a pre-agreed cut of the ransom payment.

The gang employs the “double-extortion” technique of stealing and encrypting victim data, refusing to restore access, and publishing exfiltrated data into its data leak site if the ransom is not paid.

ADVERTISEMENT