Lace Tempest hits the UK

11420643683?profile=RESIZE_400xBritish Airways; Boots, a British health/beauty retailer and pharmacy chain; and the BBC are investigating the potential theft of personal details of staff after the companies were hit by a cyber-attack attributed to a Russia-linked criminal gang.   British Airways (BA) confirmed it was one of the companies affected by the hack, which targeted software called MOVEit used by Zellis, a payroll provider.  “We have been informed that we are one of the companies impacted by Zellis’s cybersecurity incident, which occurred via one of their third-party suppliers called MOVEit,” said a spokesperson for the airline.[1]

An email sent to BA staff told employees that compromised information included names, addresses, national insurance numbers and banking details, according to the Daily Telegraph, which first reported the breach.  BA said the hack had affected staff paid through BA payroll in the UK and Ireland.

Boots said “some of our team members’ personal details” had been affected.  Media reported that staff had been told that data involved in the attack included names, surnames, employee numbers, dates of birth, email addresses, the first lines of home addresses, and national insurance numbers.

BBC spokesperson also confirmed the broadcaster had been affected. The corporation believes the breach does not include staff bank details.  “We are aware of a data breach at our third-party supplier, Zellis, and are working closely with them as they urgently investigate the extent of the breach. We take data security extremely seriously and are following the established reporting procedures,” the spokesperson said.  Zellis said a “small” number of its customers had been hit by a vulnerability in MOVEit, a file transfer system used by the company.  “We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them,” it said, adding that the UK data watchdog and the National Cyber Security Centre had been informed.  It is understood the attack has affected eight Zellis customers in the UK and Ireland.

In a tweet on 4 June, Microsoft’s threat intelligence team attributed the attacks on MOVEit to a group it called Lace Tempest.  It said the group was known for ransomware operations and running an “extortion site” carrying data extracted from attacks using a strain of ransomware known as Clop.  Microsoft added: “The threat actor has used similar vulnerabilities in the past to steal data and extort victims.”11420854094?profile=RESIZE_400x

Lace Tempest, also called Storm-0950, is a ransomware affiliate that overlaps with other groups such as FIN11, TA505, and Evil Corp.  It is also known to operate the Cl0p extortion site.  The threat actor also has a track record of exploiting different zero-day flaws to siphon data and extort victims, with the group recently observed weaponizing a severe bug in PaperCut servers.[2]

A director for threat research at the US cybersecurity firm Secureworks, said the attack was likely to have been carried out by an affiliate of the cybercriminal gang behind Clop ransomware, as well as the related website, referred to by Microsoft, where stolen data is advertised. Secureworks said the entity behind Clop was a Russian-speaking cybercrime group.  Victims of the hack should expect to be contacted and asked for money for the return of any stolen data.  “Victims will be contacted and if they refuse they will probably be listed and published on the Clop site,” it said.

A spokesperson for MOVEit, which was developed by US firm Progress Software, said it had “corrected” the vulnerability exploited by the hackers.  “We are continuing to work with industry-leading cybersecurity experts to investigate the issue and ensure we take all appropriate response measures,” they said.

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

[1] https://www.theguardian.com/technology/2023/jun/05/ba-boots-and-bbc-staff-details-targeted-in-russian-linked-cyber-attack

[2] https://thehackernews.com/2023/06/microsoft-lace-tempest-hackers-behind.html

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!