Russian-speaking gang spark data scare with huge cyber-attack

EXCLUSIVE – Warning that BBC stars whose personal details were exposed in massive cyber-attack by Russia-linked hackers will be held to ransom for MILLIONS after gang sparked security scare

  • Gold Tahoe has been operating since 2015 and is responsible for major attacks  

Fears are growing that BBC stars whose personal details have been exposed in a massive cyber-attack by a shadowy Russia-linked gang will be held to ransom for millions, MailOnline can exclusively reveal today. 

The group of cybercriminals who dub themselves the ‘Clop team’ has been active since at least 2015 and is thought to be responsible for yesterday’s attack which saw more than 100,000 employees from the BBC, British Airways and Boots have their data compromised.

The gang unleashes malware ‘hack and leak attacks’, extracting employee data from companies before exposing them online.

Criminals will then hold the information at ransom until companies, and sometimes individuals, pay large sums of cryptocurrency, anywhere between hundreds of thousands to tens of millions of pounds, to have it removed.

To date, the seedy gang has been responsible for three major attacks, affecting individuals all over the world, and seeing law enforcement officers from the United Kingdom, United States, South Korea and Ukraine all joining forces to expose the group.

Last year six members of the ‘Clop’ gang were arrester in Ukraine following a similar attack on South Korean and American organisations 

Hackers from the Russian-speaking gang are said to be behind the attack that has affected thousands of staff from the BBC, Boots and British Airways 

Between December 2020 and January 2021, the gang infiltrated Accellion File Transfer Appliance which was used by 25 organisations across the globe.

A month later, data extracted from the companies appeared to be dumped online, under the gang’s secret website, with victims receiving extortion demands from the group which dubbed itself ‘the CLOP ransomware team’.

READ MORE: Russian hackers are blamed for huge cyber-attack that saw personal details of thousands of BBC, British Airways and Boots staff

Earlier this year, the group targeted a similar service called GoAnywhere, with the group claiming it had stolen data from 130 organisations in what is called a ‘hack and leak’ attack.

In one joint law enforcement operation between Ukraine, the US and UK, Ukrainian police swooped in, seeing six people, believed to be part of the Clop gang, arrested in the Kyiv region. 

The hackers had been involved in a ransomware attack on American South Korean companies. Four South Korean companies were attacked with the Clop virus in 2019, with 810 employees computers being blocked.

While in 2021, the gang members carried out an attack, taking personal data and financial reports from Stanford University School of Medicine, University of Maryland and University of California.

In a similar ploy, the groups had demanded a ransom fee for decrypting the data, threatening to publish confidential details if the money was not handed over. The total amount of damages was said to be 500 million dollars. 

Now security experts claim the dubious criminals are behind the attack on the Bristol-based payroll provider Zellis, who provides services for the BBC, British Airways and Boots, among five other companies.

Home addresses, bank details and national insurance numbers have all been stolen. 

The attack means that the broadcast Corporation’s biggest stars, such as Gary Lineker, Naga Munchetty and Amol Rajan, could all see their data being held for ransom by the group.

And this ‘won’t be the last of these attacks’, according to Rafe Pilling, Director of Threat Research, at US cybersecurity firm Secureworks.

According to Mr Pilling the group, believed to be behind the Zellis attack, are ‘Russian speaking’ and ‘most likely distributed across Russia and Commonwealth Independent State’ countries, which include Azerbaijan, Belarus and Ukraine.

The cyber attack targeted Zellis, a payroll provider used by hundreds of companies in Britain

Some of the BBC’s biggest names, such as Amol Rajan, may have been affected by the breach

He said: ‘Once the data has been stolen, criminals likely engage with victims and will offer to not publish or delete data for money. They initially publish a small amount of data and if companies don’t pay up, they will publish more on the dark web.

‘Companies and people can end up paying hundreds of thousands to tens of millions of pounds in cryptocurrency.

‘The hackers try to conduct a degree of assessment to what a victim can afford and then base negotiations off that.’

In the most recent attack on British firms, it is thought the members of the Clop team were able to exploit a flaw in a software app called MOVEit Transfer, used by companies worldwide to transfer files – as businesses scramble to find out how much data has been stolen in the breach which could have affected 100,000 people.

Mr Pilling added that from anecdotal experience, his group suspects that less than 50 per cent of hack and leak victims will end up paying a ransom. 

‘It’s an unfortunate situation and it won’t be the last of these attacks’, he added.

‘Ransomware and hack and leak attacks are increasing problems. The private sector and government are working on it, but it is an increasing assault on our digital identities and assets.’

Bosses at BA wrote to their 34,000-strong workforce yesterday warning them of the breach. 

The BBC employs more than 21,000 people. One insider told The Times: ‘Anyone who has had any interaction with payroll has potentially been caught up in this.

‘It will have affected a lot of people.’

Boots, which has 50,000 staff members, said a ‘global data vulnerability’ was responsible for the breach

Last night, bosses at BA wrote to their 34,000 members of staff warning them of the breach 

BBC stars, such as Gary Lineker, could be amongst the 21,000 employees affected by the attack

In an email to staff, seen by the newspaper, the BBC’s chief financial officer Alan Dickson said: ‘Please be vigilant for any activity that seems unusual. These types of incidents can expose individuals to a higher risk of being victim to scams, identity fraud and unsolicited contact.’

The BBC told MailOnline: ‘We are aware of a data breach at our third-party supplier, Zellis, and are working closely with them as they urgently investigate.

‘We take data security extremely seriously and are following the established reporting procedures.’

It is understood that the data breach did not include the bank account details of BBC staff.

A spokesman for Boots, which has 50,000 members of staff, said: ‘A global data vulnerability, which affected third-party software used by one of our payroll providers, included some of our team members’ personal details.

‘Our provider assured us that immediate steps were taken to disable the server, and as a priority we have made our team members aware.’

Zellis said: ‘We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them.

‘There are no associated incidents or compromises to any other part of our IT estate.’

The Information Commissioner’s Office and the pensions ombudsman are assessing the situation.

The Data Protection Commission and National Cyber Security Centre have also been informed.

There has been a sharp rise in the number of incidents linked to Russia since it invaded Ukraine in February last year.

Emma Whitmore of Edgio, a security software group, said the latest attack showed that no organisation was safe from the hackers.

It comes after outsourcing firm and government contractor Capita was recently affected by a cyber-attack that saw some customer, supplier and staff data accessed by hackers.

Capita said it faces a bill of up to £20million to deal with the incident, including for recovery and remediation costs and to invest in reinforcing its cyber security defences.

British Airways suffered a data hack in 2018, when the attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff.

It included the names, addresses, payment card numbers and the three digits on the back of cards of 77,000 customers, and card numbers only for 108,000 customers.

The airline was fined £20 million by the ICO after investigators found it should have identified the security weaknesses that enabled the attack.

Source: Read Full Article