Who are the Clop Gang? Russian hackers behind the BBC, BA, Boots cyber attack are on a rampage

The Russian cybercriminal gang Clop has posted a threat on its website on the Dark Web telling victims affected by the recent cyber attack to email them by June 14 to negotiate or face having their private data leaked onto the internet.

This comes following The Standard reporting on Tuesday evening that Clop is not using ransomware for this attack, and instead has a business model of demanding money or leaking information.

When asked by The Standard about whether it had received an extortion request from Clop, the BBC declined to comment, seven hours before posting its own piece on the extortion notice.

The notice on Clop’s website, first seen by the BBC, states: “This is announcement to educate companies who use Progress MOVEit product that chance is that we download a lot of your data as part of exceptional exploit [sic].”

The post urges victim organisations to send an email to the gang to begin negotiations.

The Government of Nova Scotia in Canada, and the University of Rochester, a private research university in New York, are the first organisations in North America to have confirmed that they, too, have been hit by the MOVEit cyber attack.

News broke on Monday that tens of thousands of employees at the BBC, British Airways, Boots, and Aer Lingus have had their details stolen due to a cyber attack on payroll service provider Zellis. Microsoft blamed the data breach on a Russian cybercriminal gang called Clop.

Cybersecurity researchers are warning that this incident is far from over — the issue is much wider than previously thought and there are still serious consequences to come. The Standard understands that several other British firms have been affected by this cyber attack.

The Russian cybercriminal gang Clop has been active since February 2019, surviving many challenges, including server raids by Ukrainian police in June 2021, which included arrests of multiple Ukrainian hackers working for them. Clop has so far successfully attacked at least 230 firms, according to cybersecurity researchers.

Cyber attack targeted Microsoft server security flaw

The attack occurred due to Zellis falling victim to a cyber attack via one of their third-party suppliers, a cloud storage “Dropbox for enterprises” service called MOVEit. MOVEit was running Microsoft’s Windows server applications and the hackers found a security flaw in these applications and used it as a door to Zellis’s payroll data, according to Rick Holland, the chief information security officer at global cybersecurity firm ReliaQuest.

This is known as a zero-day vulnerability — an undiscovered security flaw in an application or operating system that there is no defence or patch for because no one knows it exists, except for the hackers.

However, MOVEit’s owner Progress says that they have more than 100,000 customers around the world. While we don’t know exactly how many are using the MOVEit software, this means that the issue potentially affects many more victims than we know of, because other companies could be using the software to store confidential corporate information in the cloud.

“Anyone that is running the MOVEit software should assume they might have been breached,” Mr Holland told The Standard.

“Hopefully, everyone has kicked in their incidence response. According to our research, there are more than 1,000 servers [in the world] running unpatched versions of the software.”

He added that Clop essentially has a “treasure trove” of stolen information to sift through. They will go after large organisations that have the money to pay, but it could take a while before victims are notified or discovered that their data is compromised.

Huge risk of employee details being exposed online

Potentially tens of thousands of BBC employees could have been affected by the Zellis data breach (PA Archive)
Potentially tens of thousands of BBC employees could have been affected by the Zellis data breach (PA Archive)

Unfortunately, the Zellis cyber attack news is far from over — not for Zellis, Progress, or the tens of thousands of BBC, British Airways, Boots, and Aer Lingus employees, Mr Holland warns.

Clop has a website on the Dark Web where it routinely uploads data dumps from the companies it has breached. It has been reported in the media and by some researchers that Clop are ransomware attackers, but the gang are not using malware to lock up computers, with the threat of deleting the data if a Bitcoin ransom is not paid.

The fact that the BBC, British Airways, Boots, and Aer Lingus are not yet listed on the website shows that Clop, which are extortionists, are likely now in negotiation with these firms, according to Mr Holland. The gang makes money by threatening to expose confidential company data if it doesn’t get paid.

“Clop wants to negotiate with them. Typically, the way they work is to set up a chat and email function with the company and say, ‘Hey, pay us,’. Their first move is to negotiate,” he explains.

British Airways, the BBC and Aer Lingus did not respond to Mr Holland’s comments on Clop extorting data breach victims.

You might not even know you’ve been hacked

The other big issue is that, even if your firm has a good security team that has kicked into action and patched the Microsoft Server flaws for your servers that connect to the MOVEit software, they might still struggle to detect whether Clop has been by to pay a visit.

In order to detect a data breach, enterprises really need to be checking their server logs for the past 90 days, advises Mr Holland. Typically, many companies only keep 30 days’ worth of logs, which are then wiped, including’s ReliaQuest’s own customers.

Christopher Budd, senior manager for threat research at British cybersecurity firm Sophos, agrees: “It’s important to note that patching will not remove any webshells or other artefacts of compromise. This makes it critical that MOVEit customers include a check for compromise after deploying patches in addition to deploying patches. Patching alone is not sufficient.”

Clop used SQL injection attacks, which are a type of zero-day vulnerability.

“SQL injection is a command and many customers don’t have enough historical server logs pertaining to their file transfer service provider,” explains Mr Holland.

“Clop is a dangerous ransomware group and was one of the earlier adopters of extorting stolen data, not just pure-play ransomware. Given their propensity to exploit zero-day vulnerabilities, they demonstrate a technical capability beyond many extortion groups.”

Unfortunately, no one can prevent zero-day vulnerability attacks, warns Mr Holland: “How quickly you respond and mitigate are the most viable courses of action. Rapid patching, abundant logging, and security monitoring are the best bets.”

What to do if you are affected

If you are an employee of any firm that has been compromised in this data breach, or your firm contacts you to say you have been impacted, you should first ask for more details on what information has been leaked about you.

BA said it was “deeply disappointed” that its staff were impacted by the Zellis cyber attack. The airline has provided affected employees with access to a specialist service that helps detect possible misuse of personal information and provides identity monitoring support.

A BBC spokesman said: “We are aware of a data breach at our third-party supplier, Zellis, and are working closely with them as they urgently investigate the extent of the breach. We take data security extremely seriously and are following the established reporting procedures.”

The BBC employee data disclosed includes first and last names, dates of birth, National Insurance numbers, and the first line of their addresses.

An Aer Lingus spokeswoman said: “Aer Lingus has been notified by a third-party service provider (Zellis – provider of HR and payroll support services) that they have experienced a cybersecurity incident, which has resulted in a disclosure of some of our current and former employee data.

“However, it has been confirmed that no financial or bank details relating to Aer Lingus current or former employees were compromised in this incident. It has also been confirmed that no phone contact details relating to Aer Lingus current or former employees were compromised.”

Aer Lingus has established a dedicated phone line, email address, and additional support from its cyber security and data privacy teams.

The Standard has contacted Progress and Boots for comment.

A Zellis spokeswoman told The Standard: “We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them. All Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate.”

She added that Zellis took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring, as well as notifying the ICO, DPC, and the NCSC in both the UK and Ireland.

A spokesman for MOVEit software said: “When we discovered the vulnerability, we promptly launched an investigation, alerted MOVEit customers about the issue and provided immediate mitigation steps.

“We disabled web access to MOVEit Cloud to protect our Cloud customers, developed a security patch to address the vulnerability, made it available to our MOVEit Transfer customers, and patched and re-enabled MOVEit Cloud, all within 48 hours. We have also implemented a series of third-party validations to ensure the patch has corrected the exploit.”