Canada’s biggest gold company has been targeted by shadowy Russian cybercriminal group Clop in a massive global data theft incident that has affected hundreds of corporations and close to 20 million individuals.
Barrick Gold Corp. ABX-T is one of a growing tally of at least 376 organizations publicized by Clop in an attack that has seen confidential data stolen from financial firms and health care providers, as well as U.S. government agencies and Canadian municipalities.
Active since at least 2020, Clop traditionally used software to encrypt files of a company or an individual and then demanded ransom so the information could once again be deciphered. But the latest incident involved a mass data theft that occurred in late May at third-party file sharing system MOVEit, owing to a “zero-day” vulnerability in its software – a flaw for which MOVEit had no fix at the time.
MOVEit is owned by Massachusetts-based Progress Software Corp., and its software is used by thousands of corporations for sending and receiving documents. Progress has said it has since fixed the vulnerabilities in its system that allowed the hack.
“This was simply a smash-and-grab attack in which they got off as much as they could from as many companies as they could in the shortest possible time before anyone noticed what was happening,” said Brett Callow, a British Columbia-based threat analyst with cybersecurity company Emsisoft Ltd.
Threads collects so much sensitive information it’s a ‘hacker’s dream,’ experts say
The Russian gang publishes the names of companies affected by its data thefts on the dark web, which features illicit internet content accessible using a specialized browser. The dark web is routinely used by criminals to peddle stolen personal financial information such as credit card numbers, social security credentials and bank accounts.
Clop’s modus operandi is to demand ransom in return for not publishing the data, or to sell it to a third party. It is also notorious for chiding the companies it targets, calling them out for allegedly having weak systems in place to combat cyberattacks.
“The company doesn’t care about its customers. It ignored their security!!!”” Clop wrote about Barrick in a dark web page obtained by Mr. Callow, and viewed by The Globe and Mail.
Toronto-based Barrick has not revealed what effect the attack has had on the gold miner, said what data was stolen or even confirmed an attack took place.
“Unfortunately, we do not comment on matters relating to cybersecurity,” Kathy du Plessis, spokesperson for Barrick, wrote in an e-mail to The Globe.
Barrick said in a regulatory filing earlier this year that one of the main goals of chief financial officer Graham Shuttleworth in 2022 was to invest more in cybersecurity initiatives. During the year, he established a cybersecurity risk committee to respond to security breaches, conduced third-party cybersecurity assessments and oversaw cybersecurity awareness training at Barrick.
Other Canadian institutions were also affected by the data breach at MOVEit.
Sun Life Financial Inc. SLF-T last week said that the personal information of its U.S. customers was compromised after one of its vendors, Pension Benefit Information, which used MOVEit, was hit by Clop.
The Canadian insurance company in a statement said that information accessed by hackers included names, social security numbers, policy and account numbers, and the dates of birth of some account holders.
Metro Vancouver Transit Police in June revealed it was also affected by the hack. The police organization said that hackers accessed 186 files and that it had launched a review to determine what information was stolen.
“Clop has hit some companies that will hold extremely sensitive information, including one whose clients included the U.S. Department of Justice, the U.S. Department of Homeland Security, Raytheon,” Mr. Callow said. “And who knows where that information may now be.”
While companies can try to keep a close watch on ransomware attacks that happen on their own internal systems, the attack on MOVEit illustrates the challenges that arise when sensitive information is outsourced to third parties.
Mr. Callow says that it is extremely difficult to defend against these kinds of ransomware attacks, and he is only aware of one company that was able to fend off in real time a breach that was in progress.
Data stolen in N.L. health system cyberattack could involve ‘thousands’ of people, officials say