Siemens Energy confirms breach in major Clop ransomware attack via MOVEit vulnerability

Siemens Energy targeted in massive MOVEit attack

Siemens Energy, along with other energy and technology giants, has confirmed being targeted by the notorious Clop ransomware group, which exploited a zero-day vulnerability in Progress Software’s MOVEit managed file transfer (MFT) software. The Munich-based energy technology company, which employs 91,000 people and posts annual revenue of $35 billion, confirmed that no critical data was compromised, and business operations were not significantly impacted.

According to Clop's modus operandi, the group leverages ransomware data-theft attacks, often threatening to leak stolen data to apply pressure on victims. Following the MOVEit attack, Siemens Energy featured on the group’s leak site, indicating a breach had occurred. However, Siemens Energy has assured stakeholders that immediate action was taken upon learning about the incident.

This breach comes as part of a larger campaign impacting several major organizations, such as Schneider Electric, Sony, EY, PwC, Cognizant, AbbVie, and UCLA. The extent to which each entity was targeted in the MOVEit attack remains unclear, as investigations are still ongoing.^[1]

Clop exploits MOVEit zero-day vulnerability

The Clop ransomware group is reported to have known about the MOVEit zero-day vulnerability since 2021, but mass attacks exploiting it only commenced in late May 2023. As a result of these breaches, the group claims to have accessed files of hundreds of organizations using the MFT product. Furthermore, the cybercriminals assert that they are the sole group to have exploited the zero-day before it was patched and, thus, are the only ones in possession of the data obtained during the attack.

Notably, the vulnerability exploited in the MOVEit Transfer platform, known as CVE-2023-34362 ^[2] is a SQL injection vulnerability. This type of vulnerability can be exploited by unauthenticated attackers to gain unauthorized access to MOVEit Transfer's database. This attack technique raises significant concerns about the security of data being transferred using such platforms.

Implications and response to the MOVEit attack

While the full fallout of the MOVEit attack continues to be assessed, it is evident that it has far-reaching implications. Numerous entities, including companies, federal government agencies, and local state agencies, have reported data breaches exposing sensitive data of millions of individuals.

For instance, Shell confirmed that it had been targeted in the MOVEit attack, and data allegedly stolen from the energy giant has begun leaking.^[3] In another instance, the New York City Department of Education admitted that documents containing sensitive personal information of up to 45,000 students were stolen by Clop.^[4]

In response to these threats, victims such as Schneider Electric and Siemens Energy have promptly deployed mitigations to secure their data and infrastructure. Schneider Electric became aware of the MOVEit software zero-day on May 30, 2023, and implemented measures to enhance its cybersecurity. Their cybersecurity team is currently investigating the claims made by Clop further:^[5]

On May 30th, 2023, Schneider Electric became aware of vulnerabilities impacting Progress MOVEit Transfer software. We promptly deployed available mitigations to secure data and infrastructure and have continued to monitor the situation closely. Subsequently, on June 26th, 2023, Schneider Electric was made aware of a claim mentioning that we have been the victim of a cyber-attack relative to MOVEit vulnerabilities. Our cybersecurity team is currently investigating this claim as well.

Clop ransomware attacks via the MOVEit vulnerability highlight the growing concern for robust cybersecurity measures, especially in the sectors responsible for critical national infrastructure. The U.S. government is offering up to a $10 million bounty^[6] under its Rewards for Justice program for information that links the Clop Ransomware Gang, or any threat actors targeting U.S. critical infrastructure, to a foreign government, reflecting the severity of the issue at hand.