Deloitte joins fellow Big Four MOVEit victims PWC, EY

Big Four financial services firm Deloitte confirms to Cybernews that it's part of the latest round of victims claimed in the MOVEit attacks.

The New York City-based global auditing and accounting firm appeared alongside 55 other MOVEit victims named by the Cl0p ransomware gang Wednesday, but Deloitte says the impact on its systems is limited.

This makes Deloitte the third Big Four accounting firm to be claimed by the threat actors on its dark leak site.

Pricewaterhouse Coopers (PWC) and Ernst & Young (EY) were named by the gang on June 23rd, leaving KPMG International as the only Big Four company seemingly unscathed in the massive hacking spree.

“Immediately upon becoming aware of this zero-day vulnerability, Deloitte applied the vendor’s security updates and performed mitigating actions in accordance with the vendor’s guidance,” the company said in a statement sent to Cybernews Thursday.

“Our analysis determined that our global network use of the vulnerable MOVEit Transfer software is limited. Having conducted our analysis, we have seen no evidence of impact on client data,” a Deloitte Global spokesperson said.

Deloitte Clop leak site
Cl0p leak site

The Russian-linked Cl0p ransom group is responsible for exploiting a now patched zero-day vulnerability in the MOVEit file transfer sharing system at the end of May.

According to statistics gathered by the cybersecurity software firm Emisoft, over 500 companies from around the world have been impacted to date, with more expected to come forward as experts say thousands of firms are currently employing the MOVEit Transfer software.

The Big Four accounting firms are responsible for auditing more than 80% of all US companies, according to industry experts.

Unlike the other three Big Four victims, Cl0p has not posted any information about possessing exfiltrated data from Deloitte networks.

Big Four
Big Four global accounting firms. Image by g0d4ather | Shutterstock

On July 19th, Cl0p published samples on its leak site of more than 3TB of sensitive data allegedly stolen from EY during its attack on the London-based firm.

PWC, also headquartered in London, was listed as having 121GB of data plus archives compromised in the hack.

The gang announced that it was looking to sell the comprised information to the highest bidder after negotiations with both of the firms to secure a ransom demand apparently failed.

In a statement confirming the breach to Cybernews, EY had, like Deloitte, stated that limited data had been affected in the MOVEit attacks.

In a new tactic, first seen last week, Cl0p created a completely separate URL – available on the clearweb – directly linking to the entire trove of PWC stolen data files.

MOVEit victims span multiple sectors

Cl0p – which is said to have exploited the MOVEit zero-day bug via SQL database injection – threatened to release the names of its victims, and publish their stolen data, if they didn't fork over a ransom demand by June 14th. Shell Global was the first victim to be named on the Cl0p leak site.

Cybernews has confirmed that TD Ameritrade, ING Bank, as well as three other major European banks – Deutsche Bank, Postbank, and Comdirect – were also impacted by the attacks through a common third-party vendor, Majorel.

More recently named victims include American Airlines, TJX off-price department stores, TomTom, Pioneer Electronics, Autozone, and Johns Hopkins University and Health System.

Other multiple big brand victims include Estee Lauder, Shutterfly, Warner Bros Discovery, AMC Theatres, Honeywell, Choice Hotels’ Radisson Americas chain, and Crowe accounting advisory firm.

Earlier MOVEit victims from June included Sony, Siemens Energy, the NYC Department of Education, and several US government agencies, including the Department of Energy and Health.

New evidence, exclusive to Cybernews, points to the fact that the pro-Russian gang is still operating in secret within Ukrainian borders.

US officials are offering a $10 Million dollar bounty on the Cl0p gang.

Cl0p is a known ransomware syndicate with ties to Russia and has been around since 2019.

The syndicate is known in the cyber industry by many different names, such as TA505, Lace Tempest, Dungeon Spider, and FIN11.