Cl0p Cyber Attack on Payroll Provider Zellis Nets Some Very Big Downstream Fish

by | Jun 12, 2023

The ransomware group “cl0p” has been known to target file management systems, and they have once again done so successfully. The biggest single target in this recent spree of cyber attacks is UK payroll provider Zellis, and the list of downstream companies that have been compromised is composed of some impressive names: British Airways, the BBC, Jaguar Land Rover, and Aer Lingus among others.

The actual point of compromise is MOVEit, an encrypted and automated file transfer system popular with large businesses for some 20 years now. The attackers are threatening to leak the stolen payroll information if MOVEit does not pay a ransom by June 14; it is unclear if other compromised businesses have been individually extorted.

Fallout from Zellis payroll provider attack flows downstream

There is not yet much public comment from the compromised Zellis clients on the full scope of the breach. It is known that the payroll provider used standardized forms that can contain national identity numbers, banking details and a variety of employee contact information.

However, it is not clear what each individual company had exposed, or how many employees were impacted at each company. Some British Airways employees had banking information taken in the cyber attack, according to an internal company email shared with the media, and several other companies have disclosed that national identity numbers were taken. A full picture of the damage is still emerging.

Cl0p are no strangers to attacking file management systems with an eye toward access to a broad range of clients. They first did this in 2021 with a serious breach of Accellion, then again this past January on Fortra’s GoAnywhere. Cumulatively these cyber attacks have now impacted several hundred total companies, all from just three points of compromise in supply chains. Cybersecurity experts have varying proscriptions for dealing with the reality of supply chain attacks, but most come back to one central point: encrypting sensitive data at rest to avoid extortion situations just like this one.

Without exfiltration of usable data, remediation of cyber attacks is much simpler

Cl0p’s “Lace Tempest” hacking group is threatening MOVEit, with about a week left on the deadline for a ransom payment. But there is no word that ransomware was deployed in this case, so if the sensitive employee information had been encrypted the attackers would have walked away with nothing.

Of course, the payroll provider is not the only target of this small spree of cyber attacks. Security researchers report that cl0p has likely been hunting up vulnerable transfer servers since as early as March, and Canada’s provincial government of Nova Scotia has also reported that it was attacked in a separate incident. Research from Smith and Mound has found “hundreds” of exposed servers across 790 total organizations making use of the software. Zellis has said that it has eight total clients that it is aware of that have been compromised by the cyber attack.

Recent Posts

How can we help?

5 + 9 =

× How can I help you?