Oil and gas giant Shell confirms it was impacted by Clop ransomware attacks

Shell confirmed on Thursday it had been impacted by the Clop ransomware gang’s breach of the MOVEit file transfer tool after the group listed the British oil and gas multinational on its extortion site.

It is the second time that Shell — which employs more than 80,000 people globally and reported revenues in excess of $381 billion last year — has been hit by the Clop gang targeting a file transfer service.

A spokesperson for Shell told Recorded Future News: “We are aware of a cyber security incident that has impacted a third-party tool from Progress called MOVEit Transfer, which is used by a small number of Shell employees and customers.”

They stressed there was “no evidence of impact to Shell’s core IT systems” and said their IT teams continued to investigate the incident. “We are not communicating with the hackers,” the spokesperson added.

Clop’s hack of MOVEit has claimed a number of victims in the United Kingdom, including the BBC, airlines British Airways and Aer Lingus, the pharmaceuticals retailer Boots, and even the country’s communications regulator Ofcom.

Shell and Ofcom appear to be less significantly impacted by the breach as direct users of the MOVEit tool, within limited settings.

Ofcom said “a limited amount of information” was downloaded in the attack, although some of it was confidential and related to the companies it regulates, along with the personal data of 412 Ofcom employees.

However the BBC, British Airways, Aer Lingus and Boots are potentially more exposed to the MOVEit breach as the file transfer tool was being used by a third-party supplier of payroll services to these companies called Zellis.

Transport for London which operates public transport in the capital, has also confirmed being impacted by the incident.

A spokesperson told Recorded Future News: “Like other companies in the UK, one of our contractors recently suffered a data breach. The issue has been fixed and the IT systems have been secured. The data in question did not include banking details and we are writing to all of those involved to make them aware of the incident.”

The Daily Telegraph reported that up to 13,000 drivers on Transport for London’s databases have been warned their personal data was stolen in the incident, which impacted a contractor operating the city’s congestion and parking charges schemes.

BBC News reported that the professional services firm EY has also been impacted. It is not known if EY was a Zellis customer or if they used MOVEit Transfer directly. Two confirmed Zellis users — the BBC and British Airways — have warned their entire payrolls that their data may have been stolen.

Shell was first hit by Clop back in 2021, when the gang hacked Accellion’s file transfer appliance in a plot to extort the companies using it by threatening to leak stolen sensitive information.

The attack on Accellion impacted more than 100 organizations globally, including numerous universities in the United States and the Canadian aerospace manufacturer Bombardier.

Earlier this year, Clop exploited a vulnerability affecting Fortra’s GoAnywhere file transfer product which the group said enabled it to steal data from more than 130 companies, governments and organizations, again for the purposes of extortion.

The software company Progress, which develops the popular MOVEit tool, last week announced a second vulnerability affecting the software, following more announcements of breaches as a result of the program’s issues.