Cyber- criminals
have told the BBC they do not have data belonging to large UK organisations
thought to be victims of a mass hack.
Firms including
the BBC, British Airways and Boots have told staff that sensitive payroll data
was stolen in last month's breach.
But now the
hackers Clop, speaking over email, claim "we don't have that data".
It raises the
possibility that another unknown hacking gang has the stolen data or that Clop
is lying.
Zellis, the UK
payroll provider that hackers breached to gain access to the BBC, Boots and
BA's data, said it could not comment as a police investigation was ongoing.
Since 14 June,
Clop has been posting company profiles of victims of its hack to pressure them
into paying a ransom.
But none of the
UK's largest and most well-known victims' names has been posted so far.
In small batches
Clop has added the names, websites and company addresses of nearly 50 victims
to its darknet website.
The
organisations include banks, universities, travel firms and software companies
from more than a dozen different countries including the US, Germany,
Switzerland, the UK, Canada and Belgium.
Some of the
companies listed by Clop on their so-called "leak site" have
separately confirmed that they have had data stolen.
Clop is
threatening to publish the stolen data unless victims pay a ransom which is
likely to be hundreds of thousands of dollars or more in Bitcoin.
'We don't have that data'
It is thought
hundreds of organisations who used the file transfer tool MOVEit have had their
data stolen.
That included
eight big UK organisations - among them the BBC, BA and Boots - who were
customers of Zellis which was itself breached through MOVEit.
But in an email
exchange with the BBC the cyber-criminals repeatedly claimed not to have stolen
the Zellis data.
"We don't
have that data and we told Zellis about it. We just don't have it. We are an
old group and have never deceived anyone, if we say that we do not have
information, then we do not have it," the hackers claimed.
Zellis would
only refer us to its previous statement, which said: "We can confirm that
a small number of our customers have been impacted by this global issue and we
are actively working to support them."
The company says
that as soon as it became aware of the hack it took immediate action and
disconnected the computer server on which the MOVEit software was installed.
The firm says it
has brought in an expert external security team to help it respond to the
attack and has notified the relevant UK data authorities.
Multiple possibilities
Cyber-security
experts are puzzled by Clop's claims which further muddy an already complex
situation.
Threat
researcher Brett Callow, from Emsisoft, said Clop could be covering up the fact
it stole the data as part of a sale deal with another hacking group.
But Clop claimed
"we didn't sell anything to other hackers".
Other experts
say there are many possibilities.
"Clop has
no real reason to say they don't have the data," said SOS Intelligence
boss Amir Hadžipasić .
"If they
are telling the truth then it makes me think that some other hackers may have
got in and stolen the data before Clop and if Clop don't have the data then
this situation is less predictable. The files are going to end up somewhere on
the darkweb via another hacking group," he added.
The hack was
first announced on 31 May by Progress Software, the makers of MOVEit.
The criminals
found a way to break into MOVEit and were then able to use that access to get
into the databases of potentially hundreds of other companies.
Since the
initial MOVEit disclosure, however, researchers have found many security issues
within the software which means it is possible that the data was stolen in a
different way by a different group.
On Friday, the
US announced
a $10m reward for "information linking the Clop gang or any other
malicious cyber -ctors targeting US critical infrastructure to a foreign
government".
0 comments:
Post a Comment