Telos confirms data breach over MOVEit bug

Telos, a US defense contractor specializing in cybersecurity, said attackers downloaded its client data by exploiting the MOVEit transfer vulnerability.

Telos was recently posted on the Cl0p gang’s dark web blog, where the gang showcases its latest victims. The Russia-linked cybercartel exploited the MOVEit transfer vulnerability, allegedly breaching hundreds of companies using the service.

Interestingly, the gang later took Telos' name out of the list. The act of supposed good faith could be related to Cl0p’s promise to delete any stolen data related to government agencies.

According to Telos, MOVEit’s developer Progress Software informed the company about the bug on May 31st, prompting Telos to take the platform offline and engage third-party cybersecurity experts to investigate the impact of the incident.

Telos name listed among Cl0p victims. On June 21, Telos was no longer on the list. Image by Cybernews.

“At this time, our investigation is complete. We identified that information related to a limited number of clients was downloaded without authorization prior to Progress informing us of the vulnerability,” the company’s representative told Cybernews.

Telos is a US-based IT and cybersecurity company primarily serving government and enterprises. The company’s clients include well-known names such as the US Department of Defence (DoD), the Department of State, Raytheon Technologies, and many others.

The company provides extremely sensitive systems to the US military, such as cybersecurity equipment to support the Air Force’s communications architecture, support for weapons systems and mission areas that fall under Air Combat Command defensive cyber operations, and other services.

Telos told Cybernews that the company notified affected clients and will continue to support their response to the MOVEit attacks from Cl0p.

“Telos did not engage with the threat actor or pay a ransom, nor did anyone pay a ransom on our behalf,” the company said.

Why is the MOVEit zero-day important?

The now-patched MOVEit zero-day flaw affected MOVEit Transfer’s servers, allowing attackers to access and download the data stored there. Since organizations used the MOVEit service to send and receive files from their clients using secure channels, attackers were able to access sensitive data.

The Cl0p ransomware gang has taken credit for exploiting the MOVEit zero-day bug. They claim to have breached hundreds of companies in the process. Experts we’ve talked to say that around 3,000 deployments of the MOVEit application were active when the flaw was first discovered.

“At this time, our investigation is complete. We identified that information related to a limited number of clients was downloaded without authorization prior to Progress informing us of the vulnerability.”

Telos’ said.

Cl0p has been posting the names of victims on their dark web leak site since June 14th, with Shell Global, Norton LifeLock, and tens of other names uploaded so far. The extent of the exposed data depends on how a certain company used the file transfer system. For example, Gen Digital, the company behind Norton LifeLock, told Cybernews that only its staff details were accessed.

“Unfortunately, some personal information of Gen employees and contingent workers was impacted, which included information like name, company email address, employee ID number, and in some limited cases home address and date of birth,” a Gen spokesperson told Cybernews.

Who is the Cl0p ransomware gang?

The Russia-linked gang goes by different names. People in the cyber industry know the syndicate as TA505, Lace Tempest, Dungeon Spider, and FIN11. The reason behind the various names is simple — the gang is quite old. It was first observed in 2019, which is a long time in the ever-changing ransomware landscape.

Like many other established players, Cl0p operates under the Ransomware-as-a-Service (RaaS) mode, which means it rents the software to affiliates for a pre-agreed cut of the ransom payment.

The gang employs the “double-extortion” technique of stealing and encrypting victim data, refusing to restore access, and publishing exfiltrated data into its data leak site if the ransom is not paid.

In 2021, Ukrainian law enforcement dealt the gang a major blow, leading to several arrests and the dismantling of the gang’s server IT infrastructure. The arrests eventually forced it to shut down operations from November 2021 to February 2022. However, the gang has been steadily recovering since then.