More than 100,000 staff at the BBC, British Airways and Boots are among over 100,000 UK employees who are anxiously awaiting developments after being informed that their payroll data may have been taken in a sophisticated hack, by a prolific cyber crime gang.

The ClOp group, who are believed to be based in Russia, posted a notice last week on the dark web giving an ultimatum to the organisations affected, not just in the UK but all around the world, to contact them by e-mail before 14 June, which obviously is now imminent, or risk having the stolen data published.

It is understood that the criminals hacked into a system called MOVEit, which is a piece of software used by businesses to securely move sensitive files around internal company networks.

Employers have been urged to refuse to pay any ransom the hackers may demand. 

Progress made by the criminals

The hack was first discovered a little over a week ago when US company Progress Software said hackers had found a way to break into its MOVEit transfer tool, sparking an anxious wait to see what the ClOp group do next.

In a statement issued by the hackers they claimed the action was merely “penetration testing service after the fact”. They went on to say in broken English: “This is announcement to educate companies who use Progress MOVEit product that chance is that we download a lot of your data as part of exceptional exploit.” They tried to offer some comfort by revealing that they were the only group capable of such an attack and offered an assurance that the data was safe.

Change in tactics

It is seemingly a common thread that the cyber gangs weave, with them wanting to maximise their income without bringing unnecessary attention from law enforcement. Expert analysts at Microsoft said that the request for the organisations themselves to make contact is an unusual step and believe it may be an indication that even the hackers cannot keep up with the scale of the hack.

“Paying” the price

Payroll services provider Zellis, which is based in the UK, is one of the users to be badly hit. They confirmed that eight of their customer organisations have had data stolen as a result, including home addresses, national insurance numbers and, in some cases, bank details, but added that not all firms have had the same data exposed.

Companies urged to carry out safety updates

Among those affected are the BBC, British Airways, and Boots, with other clients thought to include: Jaguar Land Rover, Harrods and Dyson, but there has been no confirmation of whether they have been struck too.

Others known to be impacted are Aer Lingus; the Nova Scotia Government; and The University of Rochester. The UK’s National Cyber Security Centre said it was monitoring the situation and urged organisations using the compromised software to carry out security updates.

Stepping up the technical crime

This latest threat is seen as an escalation of conventional ransomware attacks and has the name “doxware”. With it the hackers have moved on from simply encrypting data and charging for a key.

Here they steal the data directly and threaten to publish it unless the ransom is paid. It is more technically challenging for them, but it also prevents businesses from simply restoring their data from backups and ignoring ransom demands.

Persistent threat

Cyber security experts have long tracked the exploits of ClOp, which although not clarified, are strongly suspected of being a Russian based group, as it mainly operates on forums from that country. It is thought that they use their “tools” as a service and therefore can pop up anywhere in the world.

Several times over the past few years arrests have been made, but as has been demonstrated, the group continues to be a persistent worrying threat.