Swiss health insurance company and holiday provider confirm data theft by Russian gangs

 The insurance company ÖKK and the holiday park operator Landal, which is also active in Switzerland, confirm a hacker attack by the “Clop” gang to watson. Other victims are likely to follow.

The ransomware gang Clop made good on their threat: On the leak site of the notorious cybercriminals, numerous names of some well-known companies were emblazoned on Thursday. Among them: the world's largest mineral oil and natural gas company Shell, but also the Swiss health insurance company ÖKK and the holiday park operator Landal, which also operates in this country.

The outflow of data has so far been limited, as research by watson shows. More victims are likely to follow.

Several new names are listed on Clop's leak site on the dark web. screenshot: watson

The history:

Last week, the Russian-speaking gang revealed on their dark web leak site that they had hacked companies en masse thanks to a little-known vulnerability in a file-transfer tool. At the time, the cybercriminals did not name any names, but instead asked those affected who were using the corresponding software tool to get in touch by June 14, 2023 at the latest.

ANALYSIS

Dangerous hacker gang also threatens Swiss victims with data meltdown - that's behind it

Important to know: These are not ransomware attacks in which the attackers try to encrypt their victims' IT systems with malware.

The perpetrators exploited vulnerabilities in the MOVEit Transfer software to secretly steal data from the servers. And now, as part of the "Hack and Leak" attack, they are threatening to publish the data on the dark web.

That says the health insurer concerned

watson asked the Swiss health insurer ÖKK . The Graubünden company confirms a corresponding cyber attack in connection with the file transfer software MOVEit Transfer.

“We are among the presumably many affected. Our core system with the health data is not affected," explains Patrick Eisenhut, Head of Communications, ÖKK. Personal data such as first name and surname are affected.

"We currently see no reason to respond to the demands."

Patrick Eisenhut, ÖKK

"We have taken immediate measures and are working with external partners," says the ÖKK media spokesman. The cyber security specialists have "already given the all-clear so far" and the affected platform (MOVEit Transfer) has been restarted.

The partner organizations have already been informed, and they are currently examining whether to inform customers directly.

According to the description on its website, ÖKK is an insurance company with 30 agencies that operates throughout Switzerland. Customers: Around 190,000 private individuals and 13,000 companies and public institutions. The annual premium volume amounts to 800 million Swiss francs. ÖKK employs around 490 people and around 15 apprentices.

What does Landal say?

When asked by watson, Simone Clemens, media spokeswoman for Landal GreenParks , confirmed that the company uses MOVEit software, which is used worldwide. As reported in the news, cybercriminals managed to hack this software.

“The cybercriminals also gained access to Landal GreenParks and guest data. We do not know whether they actually made use of this access."

As a precaution, the Dutch data protection authority (Autoriteit Persoonsgegevens) and the guests have been informed. In addition, the server in question was immediately switched off and reconfigured "to ensure that unauthorized persons no longer have access".

The media spokeswoman explains:

“The personally identifiable information that may have been stolen does not include passwords, financial information, or information about future bookings. These are the names and contact details of around 12,000 guests. Given the scale of this MOVEit hack, we believe more companies have reported or will report this hack."

Landal GreenParks is a Dutch tourism company that operates a chain of holiday parks in Europe and also offers accommodation in Switzerland , on Lake Lucerne and in Graubünden .

How many victims are there in total?

This is unknown. Hundreds of companies and organizations around the globe have reportedly used MOVEit Transfer file transfer software.

Clop's dark web page lists a few new names so far, including:

• 1st Source: US Bank.
• Datasite: Cloud provider from Germany
• First National Bankers Bank: United States
• Heidelberger Druckmaschinen AG: Germany
• Landal GreenParks: Holiday park provider with headquarters in Germany, also active in Switzerland
• Leggett & Platt: large US furniture manufacturer
• National Student Clearinghouse: US non-profit educational organization.
• Putnam Investments: The US company manages around 165 billion dollars in customer assets.
• Shell: The multinational oil company headquartered in London is active in more than 140 countries and has annual sales of around 180 billion US dollars.
• UnitedHealthcare Student Resources: US health insurer.
• University of Georgia: US educational institution

As the ÖKK example shows, it is questionable whether these organizations suffered any major data leaks.

Could there also have been massive data leaks?

"Definitely," says Swiss IT security expert Marc Ruef.

“Here, for example, the network topology plays an important role: How is the network structured, which transitions are protected by firewalls and where is the attacked component located. Anyone who did their homework didn't make it easy for the attackers."

Estimating the scope and effects of the Clop mass attack is very difficult. "Exploiting" (taking advantage of the vulnerability) started very early on and caught many companies on the wrong foot.

“The question arises to what extent the attackers were able to automate the exploitation of the vulnerability and the gathering of the data. We assume that, especially in the initial phase, the attackers had to do a lot of manual access, which made the enforcement of attacks rather sluggish.”

Note on the topic?

watson editor Daniel Schurter can also be reached anonymously via the encrypted Swiss messenger app Threema. His "Threema ID" is: ACYMFHZX. Or you can write to daniel.schurter [at] protonmail.com. If you register with the Swiss secure mail provider (free of charge), you can send encrypted e-mails.

Sources

• wikipedia.org: Landal GreenParks
• wikipedia.org: ÖKK

Ransomware gang Clop attacks hundreds of companies - Swiss pharmaceutical multinational on the list of victims

Black Basta attacks well-known Swiss aviation company - cyber attack raises questions

commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial commercial