More than a hundred thousand Britons last week had their data stolen by cyber criminals calling themselves Clop, the Russian word for a blood-sucking bedbug.
The gang, which is well-known to cyber security researchers, raided major employers including British Airways, Boots and the BBC after exploiting a backdoor in software used by a payroll provider.
Information stolen includes national insurance numbers and bank account details.
The massive breach follows a similar attack by a Russian-speaking hacking group on Capita and highlights how criminal cyber gangs are stepping up attacks on the West under the watchful eye of Vladimir Putin.
The Five Eyes nations – America, Australia, Britain, Canada and New Zealand – have warned that “Russian-aligned cybercrime groups” are threatening to “conduct cyber operations” against the West in retaliation for those countries’ support for Ukraine.
Cabinet Office minister Oliver Dowden warned earlier this year about the rise of “ideologically motivated” hackers who are increasingly targeting critical infrastructure and major businesses in an effort to disrupt everyday life.
Measuring the extent to which these attacks are directed by the Kremlin is difficult.
Rafe Pilling, director of intelligence at Secureworks, does not think Clop falls into the category of state-directed Russian cyber gangs.
The group has a long track record of targeting Western businesses and extorting their data for money, suggesting this week’s attack is simply a continuation of business as usual.
However, Putin at the very least tacitly encourages attacks like these by railing against the West in speeches and seemingly tolerating hacks launched from Russian soil.
Jeremy Kennelly, a senior manager with Google Cloud’s Mandiant cybersecurity division, says there “has been some coordination between Russian cybercriminals and Russian state authorities historically”.
Researchers have noted an unusual overlap between known Russian cyber gangs’ activities and military targets after the invasion of Ukraine. The relationship calls to mind the infamous “little green men” who took control of Crimea in 2014.
Putin denied that the heavily armed men in fatigues were operatives of the Russian state, claiming they were simply well-equipped amateurs whose aims happened to coincide with the Kremlin’s.
Now, little cyber helpers seem to be playing a similar role in the war in Ukraine.
Putin has allowed the hackers to operate with impunity from Russian soil - Getty Images Europe
Thanks to a series of arrests over the past two years, more is known about Clop’s members than many similar online criminal organisations.
The gang has been operating for a decade and is believed to have extorted more than $500m from corporate victims spanning banks, airlines, and law firms among others.
The FBI said last week that Clop is “considered to be one of the largest phishing and malspam distributors worldwide” and is thought to have compromised as many as 8,000 companies globally.
“These are the elder statesmen of Russian cybercrime,” says Pilling.
The group’s MO is to steal data and then seek a ransom for it, threatening to leak the sensitive information online if the money is not paid.
Its typical ransom note reads: “If you ignore us, we will sell your information on the black market and publish it on our blog, which receives 30-50 thousand unique visitors per day.”
In the case of BA, BBC and Boots, the gang found a weakness in a piece of file transfer software called MOVEit that was used by payroll operator Zellis.
Pilling says it would have taken “roughly 15-20 seconds” for Clop to go from detecting a server with the backdoor to planting the data-stealing software.
Google’s Kennelly thinks this latest spree may have left Clop with more stolen information than its members can handle.
In the past, the gang – or “threat actor” in cyber security industry lingo – has contacted individual victims directly to demand money. This week, however, Clop instead published a note on the dark web ordering hacked companies to get in touch.
“The current situation is atypical,” explains Kennelly, “but could be due to the actors being overwhelmed with access and data.”
In a note posted to the dark web, Clop said: “If you are a government, city or police service do not worry, we erased all your data.”
Secureworks’ Pilling thinks this is a sign that Clop members fear the consequences of their actions: “I think they believe that announcement is sufficient to keep them off the radar of law enforcement and to reduce the heat that would be directed at them.”
This is wishful thinking. Western officials are increasingly viewing cyber attacks as a matter of national security and Britain’s National Cyber Security Centre is investigating the latest Clop attack.
Researchers say identifying Clop’s members is difficult because they even tend to stay off cybercrime forums, online bulletin boards where criminals brag about their deeds and sell reams of information stolen from Westerners.
However, its operations are believed to be focused in Russia with some members in Ukraine.
Police raids in Ukraine have helped in decoding Clop's activities - Ukrainian Police
Police raids in Ukraine during summer 2021, and again just weeks before Russia’s 2022 invasion, however, lifted the veil on some of the gang’s alleged members and their lifestyles.
One suspect, an unnamed 36-year-old, lived in Ukraine’s capital Kyiv with his wife. Pictures released by Ukraine’s dedicated Cyber Police force showed the couple living in a smart new-build home in a suburban neighbourhood.
British and South Korean police were also present at the raid after learning that Clop had been targeting banks in their countries, though official sources are tight-lipped about what they learnt during the raid.
Twenty one similar raids in June 2021 resulted in six arrests.
Huge piles of money in different currencies was recovered from the police raids shedding light on Clop's money laundering network - Ukrainian Police
Another alleged perpetrator’s house wouldn’t be out of place in an upmarket British property developer’s catalogue: black marble countertops, a 4-ring gas hob, fully fitted kitchen appliances and children’s drawings taped to some kitchen cupboards.
Yet amongst the domestic trappings police discovered inches-thick piles of dollars, euros and Ukrainian banknotes hidden in safes and alcoves. Five million hryvnia (£108,000) was said to have been seized.
A $55,000 Tesla Model Y sedan was parked next to the house, while a silver Lexus parked outside was taken away on a tow truck, as well as three Mercedes-Benzes – including a £183,000 S63 coupe.
A $55,000 Tesla Model Y is seized by police from a Clop gang suspect - Ukrainian Police
Ukraine’s Cyber Police said at the time of the raid: “It was established that six defendants carried out attacks of malicious software such as ‘ransomware’ on the servers of American and [South] Korean companies.”
Experts now believe some of the people arrested in Ukraine were probably money launderers working on Clop’s behalf rather than criminal hackers themselves, mainly because the arrests didn’t appear to slow the ongoing crimes.
Even if Clop can be eradicated, it will not fix the problem.
Western security and law enforcement agencies have long despaired of Russia’s tolerant attitude towards cyber criminals operating from its territory, with a proliferation of gangs.
A report last year estimated that as much as 74pc of money made through ransomware in 2021 was paid to Russian-speaking hackers.
Joe Biden held a call with Putin to discuss how to tackle the issue of hacking two years ago. Yet any hope of a negotiated conclusion to the problem has disappeared following the invasion.
Putin’s little cyber helpers continue to run amok.
