Image: Philipp Katzenberger via Unsplash

Clop ransomware expands GoAnywhere victims list, as Hitachi and more confirm incidents

Some of the two dozen organizations added to a victim list on Thursday by the Clop ransomware group have confirmed that they were targeted with cyberattacks.

Clop — one of the most active ransomware gangs — has spent the last month exploiting companies after telling the outlet Bleeping Computer that it hacked into more than 130 organizations through a vulnerability in Fortra’s GoAnywhere file transfer product, which is being tracked as CVE-2023-0669.

Most of the listed entities did not respond to requests for comment, but several confirmed to The Record that they had been attacked or had posted statements about cyberattacks.

Japanese tech giant Hitachi confirmed that it was targeted by Clop ransomware actors through the vulnerability, directing The Record to a statement on its website about the incident.

The company said employee data in several countries was accessed and that an investigation into the incident was started once the attack was discovered.

“Employees who may be affected have been informed and we are providing support. We have also notified applicable data privacy, security and law enforcement authorities and we continue to cooperate with the relevant stakeholders,” the company said.

The company claimed there was no evidence to suggest their network operations or customer data were compromised in the attack.

Rio Tinto, the world's second-largest metals and mining corporation, declined to comment on being added to Clop’s list of victims but a source close to the company said that it was in the process of investigating an incident connected to the GoAnywhere managed file transfer (MFT) vulnerability.

Investissement Québec, a government organization created to attract businesses to the region, also confirmed to The Record that one of its suppliers was attacked through the GoAnywhere MFT product.

Isabelle Fontaine, director of media and government affairs at the organization, said their systems were not affected but noted that some employees’ personal information was involved.

“All adequate measures have been implemented to protect them. Investissement Québec clients are not at risk. For security reasons and to protect our employees, we will not comment further on the situation,” she said.

In total, Clop added 24 new victims from across the globe to its leak site on Thursday evening. GoAnywhere is widely used by major companies and schools because it is adept at handling large file transfers.

Last month, Fortra published a private advisory within its customer portal explaining that the bug is a remote code injection flaw that requires administrative console access for successful exploitation. In short, if hackers using the vulnerability can get far enough into a system, they can do a lot of damage.

Since then, a handful of victims have come forward to confirm attacks, either to regulatory agencies or to news outlets.

Cloud data management giant Rubrik confirmed to The Record on Tuesday that hackers had attacked the company using the GoAnywhere bug.

One of the largest health providers in the U.S. filed documents with the SEC last month confirming that the sensitive data of more than one million people had been stolen following a breach that involved the compromise of its GoAnywhere system. Two weeks ago, Hatch Bank also said hackers used the Fortra bug to steal 140,000 customer Social Security numbers.

After significant backlash for its initial response to the fiasco, Fortra said it is working with customers and the Cybersecurity and Infrastructure Security Agency (CISA) on a response to the spate of ransomware attacks targeting the zero-day.

Clop ransomware actors have made a name for themselves through attacking file transfer products. They were the primary cybercriminals behind a spate of attacks last year that targeted the Accellion file transfer tool, stealing data from some of the biggest companies and schools in the world including the University of Colorado, Kroger, Morgan Stanley and Shell.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.