PwC Probes Security Incident Tied to Russian-Speaking Clop Cyber Gang

A criminal hacking gang has added more names to its lists of alleged victims from a recent campaign that exploited a vulnerability in a popular file-transfer product.

(Bloomberg) — A criminal hacking gang has added more names to its lists of alleged victims from a recent campaign that exploited a vulnerability in a popular file-transfer product. 

The group, known as Clop, threatened to post internal data from professional services firms Pricewaterhousecoopers LLP and Ernst & Young LLP unless they pay a ransom fee. The scope of the incidents weren’t immediately clear.

The Russian-speaking gang has in recent weeks launched scores of attacks after discovering a vulnerability in MOVEit, a file-sharing software from Progress Software Corp.

Pricewaterhousecoopers in a statement confirmed it used MOVEit software, and that the hack had a “limited impact” on PwC. The firm stopped using the MOVEit platform upon learning of the incident, it said. 

“We have reached out to the small number of clients whose files were impacted to discuss the incident,” a company spokesperson said. “Data security is a key priority for PwC and we continue to put the right resources and safeguards in place to protect our network.” 

Ernst & Young has previously said it had launched an investigation into its use of the MOVEit tool and “took urgent steps to safeguard any data.”

“We have verified that the vast majority of systems which use this transfer service across our global organization are secure and were not compromised,” the spokesperson said in a statement from June 16. “We are manually and thoroughly investigating systems where data may have been accessed. Our priority is to first communicate to those impacted, as well as the relevant authorities. Our investigation is ongoing.”

The largest US public pension fund, the California Public Employees’ Retirement System, or CalPERS, also said the personal data of about 769,000 members — including Social Security numbers, dates of birth and potentially the names of family members — have been exposed due to the same MOVEit issue.

CalPERS said a third-party vendor that CalPERS used to help make payments to retirees and other beneficiaries notified the company on June 6 that a MOVEit vulnerability allowed data to be downloaded by an unauthorized party.

“This external breach of information is inexcusable,” said CalPERS Chief Executive Officer Marcie Frost in a statement. “Our members deserve better.”

The US Cybersecurity and Infrastructure Security Agency on June 1 issued an advisory about a vulnerability in MOVEit software, warning that “a cyber threat actor could exploit this vulnerability to take over an affected system.”

Progress has since released a patch to fix the vulnerability, but about 90 companies are so far known to have been affected by the hack, according to cybersecurity researchers.

Last week, Shell Plc said it was investigating a possible data breach after it was targeted by Clop. The gang listed Shell among dozens of other victims including a US university, insurance and manufacturing firms, as well as banks, investment and financial services companies. US government agencies have also been affected. 

Clop has been among the most prolific cybercriminal gangs in recent years, causing hundreds of millions of dollars of damage internationally, according the cybersecurity firm Trend Micro Inc.

In a statement posted on its dark web page last week, Clop invited victims to reach out and negotiate. “We have information on hundreds of companies so our discussion will work very simple,” the gang said, claiming it had downloaded “a lot of your data as part of exceptional exploit.”

–With assistance from Katrina Manson.

More stories like this are available on bloomberg.com

©2023 Bloomberg L.P.