After oil giant Shell hit by Clop ransomware gang, workers' visas dumped online as part of extortion attempt

Another day, another data nightmare

Updated Royal Dutch Shell is the latest corporation to be attacked by the Clop ransomware gang.

The extortionists siphoned sensitive documents from a software system used by the oil giant, and have now leaked online some of the data – notably a selection of workers' passport and visa scans – to chivy the corporation along to cough up a ransom. The idea being that if the ransom is paid, no more data will be dumped in public.

Earlier this month, the oil giant admitted a file-transfer application had been compromised, writing in a statement that “an unauthorized party gained access to various files during a limited window of time.”

It attempted to downplay the impact noting that “there is no evidence of any impact to Shell’s core IT systems,” and the server accessed was “isolated from the rest of Shell’s digital infrastructure.” But it did acknowledge that the crooks had probably grabbed “some personal data and... data from Shell companies and some of their stakeholders.”

The Bombardier C-Series jet assembly line in Canada

Clop ransomware gang leaks online what looks like stolen Bombardier blueprints of GlobalEye radar snoop jet


To encourage Shell to pay off the thieves and prevent further stolen data from leaking, the gang has now uploaded to its Tor-hidden website a selection of documents, including scans of purported Shell employees’ US visas as well as a passport page and files from its American and Hungarian offices.

We're not sharing a link to the material for obvious reasons.

The theft and pressure tactics are just the latest in a string of crimes by the Clop gang, which has been primarily going after organizations that deployed vulnerable versions of Accellion's legacy file-transfer appliance, exploiting the software to steal internal information. And so it's no surprise to see the oil giant note: "Shell has been impacted by a data security incident involving Accellion’s File Transfer Appliance. Shell uses this appliance to securely transfer large data files."

A spokesperson for Shell was not available for immediate comment on the aforementioned leaks.

Earlier this month, files from infosec outfit Qualys, including purchase orders, appliance scan results, and quotations also appeared on the extortionists' hidden site. And it's far from alone.

Other victims include Canadian aerospace firm Bombardier, which saw details of a military-grade radar leaked, London ad agency The7stars, and German giant Software AG.

And to pile on the pressure, the Clop gang now emails the customers of its victims, warning that data has been stolen and will be leaked if a ransom isn't paid, in an attempt to get said clients to demand the extortionists are paid off to keep quiet, reported BleepingComputer. ®

Updated to add

A PR person for Shell has been in touch to stress once again that the oil giant's Accellion deployment was specifically attacked by thieves rather than its IT systems as a whole. Also, while the Clop gang has in the past infected victims with ransomware, which scrambles files and demands a ransom to restore them, in this case, the crooks simply stole information, according to the Shell spinner.

"A cyber incident impacted a third-party, Accellion, software tool called the File Transfer Appliance (FTA) which is used within Shell," she told us.

"Criminal hackers gained access to files sent by users of the Accellion tool in a short period of time. The incident was isolated to Accellion’s tool and there is no evidence that it affected Shell’s own IT systems. The compromised servers were rebuilt and brought into service with a new Accellion security patch. The security patch closes the vulnerabilities and enhances security controls to detect new attacks." ®

Similar topics

Broader topics

Narrower topics

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022