Hitachi Energy emerges as victim of Clop gang’s Fortra attack

Hitachi Energy, the multibillion-dollar power and energy solutions division of Japan’s Hitachi conglomerate, has confirmed that some employee data was accessed by the Clop (aka Cl0p) ransomware cartel in an attack on its systems that originated through a vulnerability in Fortra’s managed file transfer product GoAnywhere.

Hitachi did not disclose what data was affected in the incident, or whether or not it has entered into any form of negotiation with the Clop gang, although the cyber criminals have added its details to their dark web leak site, with the implicit threat that they will leak its data soon if it does not cooperate.

“Upon learning of this event, we took immediate action and initiated our own investigation, disconnected the third-party system, and engaged forensic IT experts to help us analyse the nature and scope of the attack,” said a Hitachi spokesperson.

“Employees who may be affected have been informed and we are providing support. We have also notified applicable data privacy, security and law enforcement authorities and we continue to cooperate with the relevant stakeholders.

“According to our latest information, our network operations or security of customer data have not been compromised. We will continue to update relevant parties as the investigation progresses.”

The disclosure means Hitachi Energy joins a growing list of well over 100 victims that Clop claims to have hit through the Fortra GoAnywhere vulnerability.

The vulnerability itself, which is tracked as CVE-2023-0669, enables remote code execution (RCE) within GoAnywhere, and while it was disclosed and patched over a month ago, the Clop operation was able to take advantage of it to compromise a litany of new victims.

Among those to have already come forward is storage and security solutions supplier Rubrik, which has also been listed and threatened on Clop’s leak site.

In the Rubrik incident, the gang appears to have gained access to a limited amount of data held in a non-production IT testing environment and some customer and partner sales data, but not any data that Rubrik secures on behalf of its customers.

Other organisations recently added to Clop’s leak site include fossil fuel giant Shell and aviation manufacturer Bombardier, although it is unclear whether or not they were compromised via the Fortra bug.

Note that Bombardier was previously a Clop victim in 2021, when the gang attacked it via another compromised file transfer application run by Accellion.

Prolific ransomware family

As the number of new (or repeated) victims being named by Clop demonstrates, the gang remains a highly prolific operator despite law enforcement actions, which clipped Clop’s wings in 2021.

The gang has been around for about four years at this point, and as of late 2021 was thought to have made more than half a billion dollars in ransom payments.

The Russian-speaking gang runs on a ransomware-as-a-service basis, meaning it is used by multiple connected affiliates assigned multiple designations by various researchers, perhaps most significantly the group tracked by Google’s Mandiant as FIN11.

The Clop locker first evolved as a variant of the CryptoMix ransomware family, and is so-named because it appends the extension Cl0p to the files it encrypts.

According to Trend Micro, it targets a victim’s entire network rather that individual machines by accessing the Active Directory server prior to execution to determine the system’s Group Policy, which enables it to persist on victim endpoints even after they have supposedly been disinfected.

Although Clop affiliates have become famous for their exploitation of file transfer vulnerabilities, the locker has more usually been observed being distributed as part of a phishing campaign.

Most recently, SentinelOne’s SentinelLabs reported that it had found the first Linux-targeting variant of Clop in the wild. However, at the present time this variant seems to be under development as its executable contains a flawed encryption algorithm which makes decryption a doddle. A decryptor for the Linux variant can be found on GitHub.

Leave a Reply

Your email address will not be published. Required fields are marked *