City of Toronto and Virgin confirm hackers accessed data through file transfer systems

The City of Toronto and British multinational conglomerate Virgin confirmed that hackers were able to access data through a vulnerability in a popular file transfer service that has affected dozens of organizations in recent weeks.

Toronto officials told The Record on Thursday that they are investigating files that were accessed by cybercriminals who hacked into its file transfer system. The city was among dozens of alleged victims recently added to the leak site of the Clop ransomware group, which has spent weeks attacking organizations through a vulnerability in Fortra’s GoAnywhere file transfer product.

In a statement to The Record, city officials said that on March 20 they became “aware of potential unauthorized access to City data.”

“Today, the City of Toronto has confirmed that unauthorized access to City data did occur through a third party vendor. The access is limited to files that were unable to be processed through the third party secure file transfer system,” said Toronto government spokesperson Alex Burke.

“The City is actively investigating the details of the identified files. The City of Toronto is committed to protecting the privacy and security of Torontonians whose information is in its care and control and successfully wards off cyber attacks on a daily basis.”

City officials told another news outlet on Wednesday that they were not hacked by the Clop ransomware group through the GoAnywhere issue. When asked about these comments, the spokesperson said they have contacted the news outlet with an update “in light of the new information.”

Clop added 39 new victims to its leak site on Thursday that included several high-profile companies.

Virgin confirmed that its rewards club, Virgin Red, was hacked through the vulnerability.

“We were recently contacted by a ransomware group, calling themselves Clop, who illegally obtained some Virgin Red files via a cyberattack on our supplier, GoAnywhere,” a spokesperson said. “The files in question pose no risk to customers or employees as they contain no personal data."

Educational company Pluralsight also told The Record that it did use Fortra’s GoAnywhere Managed File Transfer product to “transfer platform usage data” to their Professional Services customers.

“Pluralsight's products and infrastructure were not affected by this incident,” a spokeswoman said. “When Forta informed us of this incident, we immediately discontinued use of the product and notified all of our affected customers and explained the potential risks to their data.”

Clop originally told Bleeping Computer that it hacked into more than 130 organizations through a vulnerability in GoAnywhere, which is being tracked as CVE-2023-0669.

Last week, Japanese tech giant Hitachi and Investissement Québec confirmed to The Record that they had suffered hacks related to the Fortra issue after being added to Clop’s list.

Rio Tinto, the world's second-largest metals and mining corporation, said it was investigating the issue after also being added to the list. Cloud data management giant Rubrik told The Record it was also hacked while one of the largest health providers in the U.S. and Hatch Bank informed regulatory bodies of their own incidents.

Louise Ferrett, threat intelligence analyst at Searchlight Cyber, noted that this is not the first time Clop has “mass-hacked” a number of organizations by exploiting vulnerabilities in third-party software.

In late 2020 and early 2021 the ransomware group used the same tactic to attack more than 100 organizations with Accellion's legacy File Transfer Appliance, using a combination of zero-day vulnerabilities and a new web shell.

The City of Toronto similarly suffered a data breach in April 2021 due to the Accellion issue.

“This approach of targeting multiple organizations and then announcing them in quick succession distinguishes Cl0p from other ransomware operations,” Ferrett said.

“Clop is a ransomware-as-a-service operation, which means that a number of affiliates use its ransomware in their attacks. It is noteworthy for having links to larger cybercriminal gangs such as FIN11 and TA505, for often targeting high profile organizations, and for its longevity (in dark web terms), having emerged in February 2019 as a variant of the CryptoMix ransomware strain.”