Tasmania investigating attack after Clop ransomware group adds to victim list

The government of Tasmania is looking into claims that it was attacked by the Clop ransomware group, which has spent weeks exploiting a vulnerability in a popular file sharing tool.

Dozens of governments, businesses and schools – from the City of Toronto to Virgin and Hitachi – have come forward to say data was stolen through a bug affecting Fortra’s GoAnywhere file transfer product. In February, Clop claimed it had attacked more than 130 organizations and it has slowly been adding names to its list of victims since then.

On Friday, Clop addedTasmania, an island state in Australia, to its list alongside several more companies and the U.K. Pension Protection Fund.

“The Government is aware of these reports and they are being investigated,” a spokesperson within Tasmania’s Department of Premier & Cabinet told The Record.

Another victim, Australia’s Crown Resorts, confirmed to The Record in a statement that it was also impacted by Clop’s exploitation of the GoAnywhere vulnerability.

“We were recently contacted by a ransomware group who claim they have illegally obtained a limited number of Crown files. We are investigating the validity of this claim as a matter of priority,” the spokesperson said.

“We can confirm no customer data has been compromised and our business operations have not been impacted. We are continuing to work with law enforcement and have notified our gaming regulators as part of the ongoing investigation and will provide relevant updates, as necessary.”

On Friday, multinational company Procter & Gamble confirmed to the outlet BleepingComputer that it was also attacked by Clop through the GoAnywhere vulnerability.

The ransomware group has previously conducted similar operations, last year attacking a vulnerability in the Accellion file transfer tool to steal data from some of the biggest companies and schools in the world, including the University of Colorado, Kroger, Morgan Stanley and Shell.

Fortra, the company behind GoAnywhere, has faced backlash for its response to the fiasco. Several customers told TechCrunch last week that the company told them their data was safe when it was not.

When asked for a response to the most recent claims, Fortra said it would not comment on specific customers but listed off several actions it has taken to address the issue.

The company claims it implemented a temporary outage of the GoAnywhere service “to prevent any further unauthorized activity” and shared mitigation guidance that included instructions on how to patch the vulnerability – which is tracked as CVE-2023-0669.

“We are working diligently to notify customers who may have been impacted and we coordinated with CISA [the Cybersecurity and Infrastructure Security Agency] to add information about this vulnerability to their CVE catalog to broaden the reach of information about this issue,” a spokesperson told The Record.

“We are taking this very seriously and continue to help our customers implement mitigation steps to address this issue.”