In a field of shocking, opportunistic espionage campaigns and high-profile digital attacks on popular businesses, the biggest hack of 2023 isn’t a single incident, but a juggernaut of related attacks that keeps adding victims to its score. In the coming months, more people, as many as tens of millions, could find out that their sensitive information has been compromised. But more still will likely never learn of the situation or its impact on them.
Since May, mass exploitation of a vulnerability in the widely-used file transfer software MOVEit has allowed cybercriminals to steal data from a dizzying array of businesses and governments, including Shell, British Airways, and the United States Department of Energy. Progress Software, which owns MOVEit, patched the flaw at the end of May, and broad adoption of the fix ultimately halted the rampage. But the “Clop” data extortion gang had already orchestrated a far-reaching smash and grab. And months later, the full extent of the damage is still coming into view.
Last week, Ontario’s government birth registry, BORN Ontario, said that it suffered a MOVEit-related attack earlier this year in which hackers stole sensitive personal data from 3.4 million people, including 2 million babies as well as expectant parents and those seeking fertility care. The compromised health data dates from January 2010 to May 2023. While organizations like BORN continue to disclose a slow trickle of MOVEit incidents, researchers say that the number of suspected attacks—and the total number of people whose data has already been stolen in these incidents—far exceeds what has come to light.
“I don’t think we’re done hearing about this by any means. We’re going to keep seeing that rolling disclosure over probably the next few months,” says Emily Austin, security research manager and senior researcher at the threat intelligence firm Censys. “These companies are completing their investigations—they’re starting to notify customers who might have been affected.”
Austin points out that one of the nuances of the MOVEit situation is that it is a true software supply chain security issue. The vulnerabilities existed in two versions of the MOVEit service: the cloud service known as MOVEit Cloud, and the local version that institutions run themselves on their premises, known as MOVEit Transfer. The latter is where most of the exploitation occurred. But many organizations that had data stolen in MOVEit exploitation attacks weren’t directly using it. Instead, they’d collaborated with a third party or contracted with a vendor that does. Attackers were able to steal whatever data they could grab from vulnerable MOVEit systems, whether the information was from one institution or many.
“An advanced and persistent threat actor used a sophisticated, multi-stage attack to exploit this zero-day vulnerability, and we are committed to playing a collaborative role in the industry-wide effort to combat cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products,” Progress Software said in a statement.
Centralized data repositories like MOVEit have been particularly appealing targets to Clop, which is known for strategically exploiting systems embedded in the software supply chain, including multiple file transfer tools. Earlier this year, Clop claimed it breached more than 100 organizations by abusing the GoAnywhere file transfer tool. The gang also mounted a massive data extortion campaign at the end of 2020 by exploiting flaws in Accellion networking equipment.
The MOVEit incident eclipses them, though, both in the number of victim organizations and individuals whose data was compromised. Antivirus company Emsisoft has been tracking the number of MOVEit victim organizations that have publicly declared they were impacted since May. The researchers have combed individual US state breach notifications, filings with the US Securities and Exchange Commission, public disclosures, and Clop's own disclosure website to tabulate and reconcile the true toll of the attacks.
To date, Emsisoft has concluded that 2,167 organizations have been impacted by the sprawling campaign. The number had been hovering around 1,000 in recent months, but it jumped significantly when the National Student Clearinghouse revealed 890 colleges and universities across the US—including Harvard University and Stanford University—had been impacted by MOVEit breaches. Organizations in the US account for 88.8 percent of known victims, according to Emsisoft, while a smattering of other organizations in Germany, Canada, and the UK have also been exposed by Clop and come forward.
According to Emsisoft’s analysis, around 1,841 organizations have disclosed breaches, but only 189 of them have specified how many individuals were impacted by the incident. From these detailed disclosures, Emsisoft has found that more than 62 million individuals had their data breached as part of Clop’s MOVEit spree. But since there are estimated to be nearly 2,000 organizations that have not revealed how many individuals had personal data affected in their breaches—and since researchers have concluded that there are other impacted organizations that haven’t come forward at all—the true total of people whose data was compromised is likely even larger, possibly on the scale of hundreds of millions of individuals, according to Emsisoft.
“It’s inevitable that there are corporate victims that don’t yet know they’re victims and there are individuals out there who don’t yet know they’ve been impacted,” says Brett Callow, a threat analyst at Emsisoft. “MOVEit is especially significant simply because of the number of victims, who those victims are, the sensitivity of the data that was obtained, and the multitude of ways that data can be used.”
Censys’ Austin says file transfer tools are by their nature a “fantastic target” for cybercriminals. The whole purpose of the tools is to manage and share data, so these services are often trusted with large volumes of sensitive information. BORN Ontario said in a statement last week that the data taken in the breach was from those “seeking pregnancy care and newborns.” This included lab test results, pregnancy risk factors, and procedures. Names, dates of birth, government ID numbers like Social Security numbers, addresses, and more have all been compromised in other MOVEit incidents.
While cybercriminal groups often make headlines for attention-grabbing ransomware or extortion attacks, such as those against casinos, persistent and unrelenting theft, publication, extortion, and trade of people’s sensitive data from sprees like the MOVEit rampage can ruin lives—a cumulative reality that is often overshadowed by individual incidents where profits are on the line. Hacks on schools have revealed details of sexual assaults, child abuse allegations, and suicide attempts, with the Associated Press reporting individuals often don’t know the details have been published. Meanwhile, breaches of mental health service providers have exposed patients’ records.
Callows says that he suspects the slow drip of MOVEit-related disclosures “will rumble on for years.” More broadly, he and Austin emphasize that defenders should prepare for cybercriminals to continue targeting widely-used data management software. As Callow puts it, “MOVEIt isn’t the first file transfer application to be exploited and it likely will not be the last.”
Just last week, MOVEit developer Progress Software disclosed a new set of vulnerabilities in one of its file transfer tools for servers, known as WS_FTP Server, along with patches for the flaws. The company says that it has not “currently” seen evidence that the bugs are being actively exploited.
