Introduction

In recent years, a Russian-speaking hacker group known as Clop has been making headlines for their sophisticated cyber-attacks on global institutions. This criminal gang has successfully compromised prominent companies such as British Airways, the BBC, and German industrial group Heidelberg. However, their criminal activities extend far beyond Europe, with US-based investment firms, European manufacturers, and US universities also falling victim to their cyber-attacks. Clop’s ability to infiltrate diverse institutions and steal sensitive data has raised concerns about the growing threat of cybercrime in today’s digital age.

New Targets and Growing Ransom Demands

Clop recently announced that they had expanded their list of targeted companies. Notable additions include Putnam Investments, a Kansas-based company managing a substantial $168 billion in assets, and Leggett & Platt, a Missouri-based manufacturer with a market value of $4 billion. The hacker group also targeted Walgreens-owned Boots, Zellis (a UK-based payroll provider), and several other companies, highlighting the breadth of their operation and the severity of the situation.

The brazen hackers are now demanding substantial ransoms from the affected companies. If the demands are not met, Clop threatens to release the stolen sensitive information to the public. Cyber security specialists and negotiators estimated that the demanded ransoms could reach several million dollars for each company, underscoring the magnitude of the financial losses that these cyber-attacks can inflict.

Despite these mounting pressures, Clop’s modus operandi remains consistent – they are looking for direct contact with the affected companies to negotiate the ransom. Their dark web platform serves as a channel for communication, where the criminal group makes their demands and threatens to expose the compromised data.

A Game of Cat and Mouse: The Challenge of Tracking Clop

Law enforcement agencies and cybersecurity experts face a difficult task in tracking down and apprehending the members of Clop. They display a high level of operational sophistication, making use of intricate hacking techniques that surpass simple malware-laced emails. Clop seems to possess an intimate understanding of how companies store their valuable data, allowing them to locate and steal this information with relative ease.

Complicating matters further, Clop’s elusive nature makes it difficult to gather concrete information about the group. However, researchers have discovered certain patterns and observations that shed light on their operations. On several occasions, the hackers have used Russian code and metadata, and they have been observed to suspend their activities during Russian Orthodox holidays. Additionally, they tend to avoid attacking Russian-speaking countries, creating a cybersecurity landscape that is as complex as it is mysterious.

Exploiting Weaknesses in Software Supply Chains

Clop’s recent hacking campaign exposed a vulnerability in supposedly “secure” file transfer software utilized by numerous companies worldwide. This incident emphasizes the susceptibility of organizations to cyber-attacks that exploit flaws within their software supply chains. By identifying and exploiting weaknesses within these systems, Clop was able to gain access to personal and sensitive data, leaving the affected companies exposed and vulnerable.

One prominent example of a compromised software was MOVEit, a file transfer system developed by Progress Software engineers. Clop hackers exploited this software to gain unauthorized access to data, spending months meticulously investigating the cyber defenses of target companies. This demonstrates their strategic patience and their ability to launch simultaneous attacks on multiple organizations.

Progress Software, the provider of the compromised software, promptly addressed the vulnerability and released an emergency fix for their customers. Collaboration with US authorities was also initiated to mitigate the damage caused by the breach. However, the exact duration of the cyber-attacks remains uncertain, leaving room for the possibility that many companies were compromised over an extended period with potentially severe consequences.

Clop’s Economic Impact and Targeted Data Wiping

Cybersecurity experts estimate that Clop has generated millions of dollars through their previous hacking campaigns. They employ a method known as “hack-and-leak,” wherein they demand a ransom and subsequently wipe the compromised data of companies that comply. The monetary worth of the ransom varies depending on the target, with intellectual property often being the most highly valued commodity.

Notably, those companies who refuse to pay the ransom have had their names and data added to Clop’s dark web leak site. This public exposure adds an extra layer of reputational damage and potential legal consequences for these organizations. Clop’s ability to extract significant financial gains from their hacking activities highlights the urgent need for improved cybersecurity measures and better protection of sensitive data.

Conclusion

Clop’s cyber-attacks have exposed the vulnerabilities of global institutions, ranging from major corporations to renowned educational institutions. Their ability to infiltrate diverse organizations and steal sensitive data is a concerning development that demands immediate action from law enforcement agencies, cybersecurity specialists, and affected institutions. The rising ransom demands and the potential economic losses that companies could incur underscore the urgency of this issue.

As we navigate an increasingly digital world, the importance of robust cybersecurity measures cannot be overstated. Companies must prioritize the protection of sensitive data and invest in technologies that can combat the ever-evolving tactics employed by criminal organizations like Clop. Collaboration between public and private sectors, the sharing of information and resources, and ongoing education on cyber threats are fundamental in safeguarding against future attacks.

Summary

Clop, a Russian-speaking hacker group, has expanded its cyber-attacks beyond European companies to target US-based investment firms, European manufacturers, and US universities. The group has demanded substantial ransoms from affected companies and threatened to release sensitive information if their demands are not met. Clop’s operational sophistication and ability to locate valuable data highlight the urgent need for enhanced cybersecurity measures. They exploit weaknesses in software supply chains and wipe the compromised data of organizations that comply with their ransom demands. This ongoing challenge necessitates collaboration between public and private sectors and a commitment to developing robust cybersecurity strategies.

The Russian-speaking hacker gang that has been compromising British groups such as British Airways and the BBC have said they have stolen sensitive data from multiple institutions, including US-based investment firms, European manufacturers and US universities.

The group calling itself Clop, from the Russian word for bedbugs, added German industrial group Heidelberg; Putnam Investments, based in Kansas, with $168 billion under management; and Leggett & Platt, a $4 billion manufacturer in Missouri, to a list of companies it claims it has infringed.

Eight more companies joined Clop’s list on the dark web this week. This comes on top of last week’s news that British groups, including Walgreens-owned Boots, informed employees that their data had been compromised. The issue, first discovered on 31 May, has also targeted clients of Zellis, a UK-based payroll provider used by around half of the FTSE 100 companies.

“This is a pretty bad and a pretty big incident,” said Ciaran Martin, president of CyberCX UK who helped found the national cybersecurity centre. “These bona fide companies were using a service they trusted.”

The hacker group is pushing for contact with the companies on the list, according to a post on Clop’s dark website, as the gang demands a ransom that cyber security pundits and negotiators said it could be up to several million dollars. Clop threatens to release sensitive information unless the companies agree to pay “substantial” sums.

A person who replied from Clop’s email account declined to comment.

More company names are likely to be added in the coming days. Security researchers said it took Clop two weeks to reveal a full list of names in a previous hacking campaign. Clop’s hackers have excelled, employing sophisticated methods that go beyond malware-laced emails.

The last one hack exploited a weakness in “secure” file transfer software used by hundreds of companies, highlighting companies’ vulnerability to sophisticated cyber-attacks that target flaws in their software supply chain.

Heidelberg, which makes mass-printing machines, said it was aware of the attack on its system, which “was thwarted quickly and effectively and based on our analysis did not lead to any data breaches.”

Putnam and Leggett did not respond to requests for comment.

Investigators said Clop emerged as a ransomware operator with technical proficiency and strategic patience.

“They have a level of operational acumen that’s not common,” said Jeremy Kennelly, who studies financial crimes at Mandiant, a Google-owned cybersecurity firm. At the same time, he said, their tactics show that Clop understands how and where companies store their valuable data before stealing it.

Little is known about Clop other than how they operate. Kennelly and other researchers say some of their code and metadata use Russian, often shut down work on Russian Orthodox holidays, and avoid attacking Russian-speaking countries.

Clop hackers in recent months have gained access to personal data by breaking into MOVEit, file transfer software made by Progress Software engineers.

They then bided their time, spending months investigating the cyber defenses of target companies that pay Progress to protect their data before attacking many companies simultaneously. Some evidence shows Clop had run tests months earlier.

Progress Software, a $2.7 billion US company, notified customers on May 31 that it had discovered the same weakness and issued an emergency fix. He declined to comment further, saying he was cooperating with US authorities.

“The first (breach) we saw was May 27,” said Steven Adair, chief executive officer of Veloxity, a US-based cybersecurity firm that was doing first response work at several of its clients. “But there may be others who may have been exploited for God knows how long.”

This is Clop’s third known campaign to hunt down organizations’ protected data. Two have previously brought in millions of dollars, the researchers estimate, and the names and data of those who refused to pay – from Bombardier to Stanford University – are still available on his dark web leaksite.

Clop’s well-established modus operandi, dubbed “hack-and-leak”, sees him wipe the data of whoever pays, with the transaction price varying from company to company. Intellectual property is among the most valuable, while personal data is often considered the least valuable.

“It’s an interesting dance,” said Don Smith, vice president of Secureworks Threat Unit, a cyber security company. “If they suddenly list a victim and download their data, they’ve cornered themselves. They don’t get any more money from that victim.