British Airways (BA), the BBC, Ofcom and Boots were among a number of organisations that were reportedly victims of a major recent cyber-attack, resulting in the breach of numerous staff details.
The stolen data is said to include staff names, staff ID numbers and national insurance numbers (although, importantly, not banking details). But, other than for those personally affected, the real issue is what this attack reveals about the evolution of cybercrime.
More cybercriminals are realising that if they can compromise a trusted supplier, this will lead to the compromise of that organisation’s customers. The hackers can then steal the data and potentially hold both individuals and companies to ransom.
So far, this has proven a more difficult way to make a lot of money. But it’s arguably only a matter of time.
The recent attack was against a piece of software called Moveit, which is used to transfer computer files from one location to another. It involved what’s called a “zero-day exploit”, a piece of computer code that takes advantage of a previously unknown vulnerability.
This allowed hackers to compromise Zellis, a trusted supplier of services to BA, the BBC, Boots and others. Zellis confirmed a “small number” of customers had been affected, adding that it had disconnected the server using Moveit as soon as it became aware of the incident.
Since Zellis is the main payroll service provider to these organisations, it is easy to trace how this incident started. Responsibility for the attack was claimed by the Russia-linked “cl0p” group, which has since issued an ultimatum to the affected organisations – asking for money unless they want the stolen data to be released on the dark web.
Future of cybercrime
Unlike many previous types of attack, particularly those that have employed ransomware, in this case the criminal group launched a mass attack and waited for individual organisations to fall prey, then sought to exploit each one in turn.
This suggests these cybercriminals have learned from previous supply-chain attacks, and are experimenting with making the strategy commercially viable. In supply-chain attacks, cybercriminals target one organisation by attacking an external provider they use.
Groups such as cl0p appear to have watched and learned, especially from the SolarWinds attack of late 2020, where the system for “patching” – doing quick repairs of – a near-ubiquitous software tool was compromised.
This software was widely used across the US government and industry, leading to tens of thousands of SolarWinds clients falling victim, including the Department of Defense, Nasa, TimeWarner and AT&T. Attributed to Russia’s military intelligence agency the GRU, SolarWinds was seen as being mainly motivated by state espionage.
And in the case of Moveit, the cl0p group appears to have taken the logic of supply-chain attacks – which proved so effective against SolarWinds – and wielded it against corporate targets.
This was arguably always going to be an evolutionary step for cybercriminals. First, sophisticated state-sponsored hackers verify an innovative method of attacking computers, as in the case of SolarWinds. Later, criminal copycats such as cl0p apply the same strategy, avoiding the pain of inventing new methods.
The ultimatum issued by cl0p is also revealing about the behaviour and motivation of cybercriminals. It is a strange pivot from traditional ransomware campaigns, where the victims’ payment details were stolen.
In the case of Moveit, it is instructive that cl0p has issued a public ultimatum, telling victim organisations to get in touch unless they want their data to be released into the wild – allowing its exploitation by scammers, fraudsters and other criminals.
Effectively, cl0p is relying on a panic tactic to get organisations to take responsibility for the stolen data and protect their staff’s identities, by volunteering themselves to the criminals for negotiation – presumably on the topic of payment.
This reveals a clear lack of resource – outside the technical “attack teams” – on the part of cl0p to fully exploit its apparent success in compromising Moveit.
This is a potential flaw in the behaviour of such criminal groups. It shows that a move from ransomware-driven campaigns to supply-chain attacks is more difficult to monetise.
The final step in maximising the return from the attack, by making all the victims pay, is clearly harder than with simple ransomware, where the focus is on one target organisation and one route to the pay-out from the crime.
In short, cybercriminal groups have copied the supply-chain attack strategy and are now experimenting with it. But they are struggling to fully exploit and monetise the successes they have with it.
Where ransomware has been the campaign of choice for more than half a decade, we should, however, be concerned that the Moveit attack signals a change of strategy. Supply-chain attacks are effective, and the criminals are now working to refine their methods in order to fully exploit them. As such, it’s very likely that these attacks will only become more widespread.