Shell latest victim in Cl0p MOVEit hacking spree


Shell Global has confirmed to Cybernews that some of their systems were impacted by the latest spree of cyber attacks involving a flaw in the MOVEit file transfer system -- and now it appears Shell's data has been published on the darknet.

Cl0p, the Russian-linked ransomware group claiming responsibility for the recent spate of MOVEit attacks, posted the energy corporation at the top of its dark leak site Thursday.

On Friday, the gang posted this message on its leak site, making Shell possibly the first of Cl0p victims to have their stolen data published for not paying its ransom demand.

ADVERTISEMENT

"SHELL.COM DO NOT WANT TO NEGOTIATE - DATA POSTED !!!," Cl0p posted.

Shell US spokesperson Anna Arata told Cybernews Friday, "We have not engaged with the Cl0p gang."

Cl0p leaks shell data
Cl0p leak site

In most ransomware cases, law enforcement advises against negotiating with or paying any sort of ransom demand, mostly because it leaves the victim vulnerable to being a repeat target.

Meantime, Shell had confirmed to Cybernews Thursday that the company was one of the hundreds of victims of the Moveit breach, but its impact was minimal.

“We are aware of a cyber security incident that has impacted a third-party tool from Progress called MOVEit Transfer, which is used by a small number of Shell employees and customers,” said Shell US spokesperson Anna Arata in a statement sent to Cybernews.

It’s the second time the oil and gas giant has been impacted in a hack claimed by the ransom gang.

“There is no evidence of impact to Shell’s core IT systems,” Arata said.

ADVERTISEMENT

“Our IT teams are investigating to understand and manage any risks, and take appropriate action, she said.

MOVEit attacks, Shell on Cl0p leaksite
Cl0p leak site

The Cl0p gang has claimed to have breached over 200 companies worldwide as part of the MOVEit spree, which began last week with an announcement on its victim leak site.

In a letter posted to its victims, Cl0p – who is said to have exploited the MOVEit zero-day bug via SQL database injection – threatened to release the names of its victims if they did not pay an undisclosed ransom amount by June 14th.

The gang also threatened to start leaking stolen data belonging to those victims, but as of Thursday, June 15th, no data has appeared to have been published on the Cl0p site.

The names of eleven other organizations appeared on the leak site after shell.com, but it's unclear if they are also victims of the MOVEit attacks.

Cl0p ransom instructions
Cl0p leak site

Progress, the third-party company that supplied the MOVEit file transfer system to Shell, is an American software company that offers business applications software to companies worldwide.

MOVEit is just one of the dozens of third-party tools the software solutions company offers to its business customers.

Progress’ client roster includes “hundreds of thousands of enterprises, including 1,700 software companies and 3.5 million developers,” according to the company’s LinkedIn profile.

ADVERTISEMENT

Moreover, US Marketing firm Enlyft lists over 24,000 companies using Progress software, most of them located in the US and part of the IT sector.

It is unknown how many Progress clients may be using the MOVEit Transfer system.

Security experts say even if a company didn’t use the file transfer platform themselves, a trusted third party, such as a supplier or partner, may have, essentially compounding the impact of the attacks.

MOVEit victims

The US Cybersecurity and Infrastructure Security Agency (CISA) also announced Thursday that several US federal agencies had been impacted by the MOVEit attacks.

CISA director Jen Easterly said the government agencies did not expect any "significant impact" from the attacks.

MOVEit victims who have come forward in the past week include British Airways, the BBC, and Zellis, a UK-based payroll, and HR solutions company.

Earlier this year, the Cl0p ransom group claimed responsibility for another similar high-profile zero-day attack involving the Fortra Go Anywhere file-sharing platform.

Shell Global was first named as a Cl0p victim in those attacks.

Besides Shell, the GoAnywhere hack breached dozens of organizations using the third-party file sharing system, including Procter & Gamble (P&G), Hitachi, Rubrik, and Virgin.

ADVERTISEMENT