Shell, the British multinational oil and gas company, confirmed a cybersecurity incident on Thursday, acknowledging that it was hit by the Clop ransomware gang’s attack on the MOVEit file transfer tool. Shell, which reported revenues surpassing $381 billion last year, appears on the ransomware group’s extortion list. This marks the second time Shell has fallen victim to Clop’s targeted breaches of file transfer services.
A Shell spokesperson assured that there was no evidence suggesting that Shell’s core IT systems had been compromised. The spokesperson stated: “We are aware of a cyber security incident that has impacted a third-party tool from Progress called MOVEit Transfer, which is used by a small number of Shell employees and customers.” The company made it clear they have no plans to communicate with the hackers and their IT teams are thoroughly investigating the incident.
In the UK, other victims of the MOVEit breach orchestrated by Clop include the British Broadcasting Corporation (BBC), airlines British Airways and Aer Lingus, pharmaceutical retailer Boots, and the national communications regulator Ofcom. Shell and Ofcom seem to have been less severely affected, using MOVEit within restricted contexts.
Ofcom admitted to a limited amount of information being downloaded during the attack. This compromised data includes confidential data relating to the companies it regulates and personal information of 412 Ofcom employees. BBC, British Airways, Aer Lingus, and Boots, however, are potentially more exposed as they were using the MOVEit tool via a third-party supplier of payroll services, Zellis.
Transport for London also confirmed the incident’s impact, highlighting that it affected one of their contractors. A spokesperson for the organization assured that the issue has been fixed and their IT systems have been secured.
The MOVEit breach incident also resulted in a data breach of a contractor operating London’s congestion and parking charges schemes, potentially compromising the personal data of up to 13,000 drivers. Professional services firm EY has also reportedly been impacted by the breach, although it is unclear if EY was a Zellis customer or if they used MOVEit Transfer directly.
This Clop attack follows a series of previous cybersecurity incidents. Shell had previously been targeted by Clop in 2021 via a hack of Accellion’s file transfer appliance. Clop then leveraged the stolen sensitive data to extort the companies using Accellion. The hack affected more than 100 organizations globally. Later, Clop exploited a vulnerability in Fortra’s GoAnywhere file transfer product, leading to data theft from more than 130 companies, governments, and organizations.
The recent wave of breaches has called attention to vulnerabilities in the MOVEit software. Last week, software developer Progress announced a second vulnerability affecting the MOVEit tool, suggesting that further incidents may be on the horizon.