8 Tech And IT Companies Targeted In The MOVEit Attacks

The list of victims claimed by the cybercriminal group Clop includes a number of well-known tech vendors and IT services firms, several of which have confirmed they were impacted so far.

Widespread Attacks

Nearly a month after the discovery of a critical vulnerability in Progress’ widely used MOVEit file transfer software, the impacts from a wave of related cyberattacks and data breaches continue to worsen. Clop, a Russian-speaking cybercriminal group, has claimed responsibility for breaching dozens of organizations by exploiting the vulnerability, and many have confirmed that they were affected.

[Related: Schneider Electric Probing MOVEit Claim By Cybercrime Group]

In all, more than 100 organizations have been listed on Clop’s darkweb site or have separately disclosed a security incident related to the MOVEit vulnerability, according to a tally by Emsisoft threat analyst Brett Callow. At least 15 million individuals have been impacted by the data breaches, Callow said—although the actual number is likely much higher, since the vast majority of affected organizations haven’t shared the number of individuals impacted.

In its widespread MOVEit campaign, Clop has struck a range of organizations including government agencies, insurers, banks and universities. The gang has also gone after a number of tech and IT services companies: At least eight well-known tech vendors and IT services firms so far have confirmed being impacted or have been claimed as victims by Clop. The group has been demanding extortion payments from alleged victims in exchange for not posting stolen data on its darkweb site.

In some cases, after their names appeared on the group’s site, the tech and IT companies have confirmed that they were impacted or are investigating Clop’s claims. For instance, PricewaterhouseCoopers (PwC) and Ernst & Young, which both provide IT consulting among their services, have each confirmed that they’ve been ensnared in the MOVEit attacks. Other companies in the tech and IT space, such as Schneider Electric, have said they did use MOVEit and are investigating if they were impacted.

In addition, some companies have been named as alleged victims on Clop’s site but have yet to comment publicly, such as Microsoft-owned Nuance, Sony and solution provider giant Cognizant.

An organization whose name appears on Clop’s darkweb site is most likely facing a real data extortion attempt by the cybercriminal group, according to Chris Pierson, a former longtime member of the U.S. Department of Homeland Security’s Data Privacy and Integrity Advisory Committee . “By and large, if your name is up there, it means some type of shakedown is occurring,” Pierson, who is now the founder and CEO of cybersecurity firm BlackCloak, told CRN. “There is some type of [extortion] threat to you or your organization.”

While a series of vulnerabilities have been discovered over the past month in Progress’ MOVEit tool, the original flaw (tracked at CVE-2023-34362) has been pinpointed as the source of Clop’s attacks. The vulnerability, which was reported by Progress on May 31, can enable escalation of administrative privileges and unauthorized access, Progress has said. There’s currently no evidence that the other recently identified MOVEit vulnerabilities (CVE-2023-35708 and CVE-2023-35036) have been exploited, Progress said Wednesday in a statement to CRN.

What follows are the key details on eight tech and IT companies targeted in the MOVEit attacks.

Extreme Networks

Among the first tech vendors to confirm that it was impacted in the MOVEit attacks was networking technology firm Extreme Networks. On June 7, Extreme Networks CISO Philip Swain disclosed in a post that the company had “recently” discovered that its instance of MOVEit Transfer “was impacted by a malicious act.” Extreme Networks “took immediate action employing our security protocols and have contained impacted areas,” Swain said in the post. “Our investigation is ongoing and if it is determined customer information has been impacted, we will communicate directly with those customers and disclose all relevant information.” Extreme Networks did not immediately respond to a CRN email Wednesday inquiring if there have been any further updates.

Gen/NortonLifeLock

Among the organizations listed on Clop’s darkweb site is NortonLifeLock, which merged with Avast in November 2022 to form the cybersecurity vendor Gen. In a statement, Gen confirmed that it has used MOVEit in the past and that certain employee data was impacted in the MOVEit attacks—although no data belonging to customers or partners was affected, the company said.

“We have confirmed that there was no impact to our core IT systems and our services and that no customer or partner data has been exposed,” Gen said in its statement. “Unfortunately, some personal information of Gen employees and contingent workers was impacted which included information like name, company email address, employee ID number, and in some limited cases home address and date of birth. We immediately investigated the scope of the issue and have notified the relevant data protection regulators and our employees whose data may have been impacted.”

In January, some Norton and Norton Password Manager customers were notified that the credentials associated with their accounts were likely used by malicious actors to access the services.

PricewaterhouseCoopers

PwC—which offers IT and cybersecurity consulting as well as other tech-related services, in addition to being one of the “Big Four” accounting firms—acknowledged June 22 that it has joined the list of victims impacted by the MOVEit attacks. The company confirmed to CRN that it has used Progress’ MOVEit product and that it has been affected by the attacks, but characterized the impacts on the company and its clients as “limited.”

“Our investigation has shown that PwC’s own IT network has not been compromised and that MOVEit’s vulnerability had a limited impact on PwC,” the company said in a statement provided to CRN . PwC said it has notified the “small number of clients whose files were impacted” in the incident. The company said it had utilized MOVEit “with a limited number of client engagements.”

PwC added in its statement that it had halted use of MOVEit “as soon as we learned of this incident.” The disclosure came after Clop posted on its darkweb site that it had obtained PwC data.

PwC did not immediately respond to a CRN email Wednesday asking if there have been any further updates.

Ernst & Young

Another one of the “Big Four” accounting firms that also has a major IT consulting arm, Ernst & Young, has been among the victims of the MOVEit attacks, as well. Ernst & Young told the BBC on June 12 that it was a victim of the attacks. In a statement provided to media outlets including CRN, Ernst & Young said it is “thoroughly investigating systems where data may have been accessed.”

“We have verified that the vast majority of systems which use this transfer service across our global organization were not compromised,” Ernst & Young said in the statement. “Our priority is to communicate to those impacted, as well as the relevant authorities and our investigation is ongoing.”

In response to an email from CRN, inquiring about any updates on impacts from the incident, Ernst & Young said Wednesday it “will not be commenting further” beyond the previously released statement.

Schneider Electric

On Tuesday, Schneider Electric, a major technology provider in segments including power management and industrial automation, said it is investigating after its name appeared on Clop’s darkweb site. In a statement provided to CRN, Schneider Electric confirmed that it has previously used the MOVEit product and that its security team is “currently investigating” the claim that the company has become a victim of the MOVEit attack campaign.

“On May 30th, 2023, Schneider Electric became aware of vulnerabilities impacting Progress MOVEit Transfer software. We promptly deployed available mitigations to secure data and infrastructure and have continued to monitor the situation closely,” the company said in the statement.

“Subsequently, on June 26th, 2023, Schneider Electric was made aware of a claim mentioning that we have been the victim of a cyber-attack relative to MOVEit vulnerabilities,” the company said. “Our cybersecurity team is currently investigating this claim as well.”

The company told CRN Wednesday that it had no new updates to share.

Nuance, Sony

Tech giant Sony and health-care technology firm Nuance have both been among the organizations listed on Clop’s darkweb site, in connection with the MOVEit attacks, but do not appear to have released a public statement in response to the listing. Nuance, which is owned by Microsoft, was listed on the Clop site on June 16, according to a GitHub page from researcher community Curated Intelligence, which has been tracking the MOVEit hacking campaign. Sony was listed on Clop’s darkweb site on June 23, according to the Curated Intelligence GitHub page. Neither of the companies immediately responded to a CRN inquiry Wednesday.

Cognizant

Another major company in the tech and IT services industry that’s been listed on Clop’s darkweb site in connection with the MOVEit attacks is global IT solution provider Cognizant. The company, No. 6 on CRN’s Solution Provider 500 for 2023, was listed on the Clop site on Tuesday, according to the Curated Intelligence GitHub page tracking the MOVEit campaign. Cognizant did not respond to messages from CRN on Tuesday and Wednesday.

Previously, Cognizant was among the victims of the high-profile Maze ransomware campaign in 2020. The company said at the time that it expected to spend up to $70 million remediating the damage from the attack. Among other impacts, the attackers exfiltrated Cognizant employee data including corporate credit cards and personal data such as Social Security numbers, tax IDs, financial account information and driver’s license and passport details, the company disclosed at the time.