HALIFAX — Microsoft security experts say hackers affiliated with the notorious Clop ransomware group are behind an attack on a third-party file sharing system that resulted in the theft of personal data belonging to Nova Scotians.
The Nova Scotia government said it is still trying to determine how many people had their data stolen in the attack on MOVEit software, which is used by companies all over the world. The provincial government confirmed Sunday that it used the software and that some residents' data has been breached as a result of the attack.
The Nova Scotia Heath Authority website said MOVEit is used to share sensitive and confidential information with partners and external clients.
"Our investigation is ongoing, and we don’t yet know the full extent of who has been directly impacted," Khalehla Perrault, spokesperson for the Nova Scotia Department of Cybersecurity and Digital Solutions, said in an email. "We are taking this very seriously and are doing everything we can to determine the impact in our province, as fast as possible."
The MOVEit software made by Massachusetts-based company Ipswitch allows organizations to transfer files and data between employees, departments and customers. Progress Software, the parent company of Ipswitch, confirmed a vulnerability in its software last week, saying the issue could lead to potential unauthorized access of users' systems and files.
The province then took the service off-line and installed a security update before bringing it back online Friday, only to be told further investigation was needed. Cybersecurity experts were then called in on Saturday evening.
Microsoft Threat Intelligence said in a tweet Sunday that the Lace Tempest hacking group, which is known for running the Clop extortion site, exploited that vulnerability. "The threat actor has used similar vulnerabilities in the past to steal data (and) extort victims," the tweet said.
News reports showed the BBC, British Airways and U.K. pharmacy chain Boots were among the victims.
Clop is a long-running ransomware gang with ties to Russia, said Keegan Keplinger, a senior threat researcher with Waterloo-based cybersecurity firm eSentire. They go after large companies and organizations with big budgets, he said in an interview Monday.
By targeting a file-transfer software company, the hackers then gain access to many companies and organizations — all of MOVEit's clients — as well as all of the files they've moved with the system, Keplinger said. They are also able to directly transfer their own files to all of those clients, he added.
Clop stole personal data from the City of Toronto in March by hacking into a third-party file-sharing service called GoAnywhere, according to several online technology publications, including IT World Canada.
Keplinger said that typically, the hackers will take personal data and then threaten to publish the data unless those companies or organizations pay a ransom.
"If they've got a bunch of private, personal data, then they're of course going to try to get Nova Scotia to pay them not to publish it," he said in an interview. "Otherwise, either way, whether they publish it or not, they'll have that data."
Keplinger said it's possible the Nova Scotia government is negotiating with the hackers.
Spokespeople for the Prince Edward Island and Newfoundland and Labrador governments said the provinces do not use MOVEit software.Â
Kelly David, a spokesperson for New Brunswick's Finance and Treasury Board, did not say if the government used the software.
"Based on our assessments, there are no impacts to (the government). As part of our standard cybersecurity due diligence, we will continue to monitor and assess the situation," David said in an email.
British Columbia uses the software, but the provincial Department of Citizens’ Services said in an email that the vulnerability exploited by the hackers was patched and no data was stolen.
The Office of the Privacy Commissioner of Canada said it received a breach report from Nova Scotia and has requested more information to "determine next steps."
This report by The Canadian Press was first published June 5, 2023.
Sarah Smellie, The Canadian Press