Clop attacks large Swiss construction company – US offers bounty of 10 million dollars

The list of victims who have been hacked by the Clop ransomware gang in a global wave of attacks and are now being targeted for blackmail is getting longer.

In the US, companies, universities and government agencies are frantically trying to figure out how much data has been leaked, CNN reported. Watson previously announced the attacks on the Swiss health insurer ÖKK and the Dutch holiday park operator Landal Greenparks, which is also active in this country.

And now there would be another known victim who works in Switzerland and abroad.

Many casualties, consequences difficult to estimate

Clop would also have caught one of the largest Swiss construction companies, according to our investigation: the Marti Group based in Moosseedorf in Bern.

Management initially declined to comment on Monday. Several questions remained unanswered. And also when calling IT support, it was only said that no information should be given.

With about 6,000 employees, the Marti Group is one of the largest construction companies in Switzerland. According to the LinkedIn page, more than 80 independently managed subsidiaries at home and abroad belong to the holding company.

The group of companies is active as a general contractor in all major construction sectors, including construction, civil engineering and tunnel construction.

Attacks during Pentecost

The Clop hackers are known for their concerted waves of attacks targeting a large number of victims through open security holes. Their recent cyberattacks exploited a zero-day vulnerability in the commercial file transfer platform MOVEit Transfer.

Clop claims to have stolen data from hundreds of companies. The first attacks were noticed on May 27, during the long Pentecost weekend.

Over the past week, the hackers have begun to put enormous pressure on affected organizations, publishing the names of the unwilling victims on their dark web leak site and threatening to make stolen data accessible on the dark web.

As Swiss IT security expert Marc Ruef explained to Watson, it is very difficult to estimate the scope and consequences of the Clop mass attack. “Exploitation” (taking advantage of the vulnerability) started very early and misled many companies.

US drops bounty on bounty of $10 million

According to CNN, the latest wave of attacks also “hacked numerous US federal agencies, including the Department of Energy,” and likely stole data.

Last Friday, the US State Department publicly announced a hefty reward of up to $10 million for information about the Clop gang. The action took place as part of the “Rewards for Justice” project, as reported by the online medium Bleeping Computer.

The tweet says:

The program was originally created to collect information about terrorists targeting US interests. “Since then, the program has expanded to include information about cybercriminals such as the Conti ransomware operation, Russian Sandworm hackers, REvil ransomware, and the Evil Corp hacking group.”

The unnamed Clop backers announced in early June that all data stolen by government agencies (“governments”) would be immediately deleted. They reiterated this claim in a statement on their dark web page last week. They are only financially motivated and not interested in politics.

What does the union say?

Such a reaction in the US seems unthinkable.

Watson contacted the National Center for Cybersecurity (NCSC) on Monday. Media spokeswoman Manuela Sonderegger explains that the NCSC has noted “a slight increase in attacks” in recent weeks. The NCSC cannot comment on the recent cyber attacks on Swiss companies by the Clop gang. In principle, no position is taken on specific incidents.

With regard to cyber security at private companies, the NCSC spokeswoman speaks of “own responsibility”.

Reports of ransomware attacks rose sharply in 2020 and 2021 and are now stabilizing, the NCSC spokeswoman said. However, this year his percentage more companies and fewer individuals affected than previous years.

In the current year, only about every 10th ransomware report comes from a private individual. It should be noted that there is no general reporting obligation for cyber incidents in Switzerland. It can therefore be assumed that the number of unreported cases is correspondingly higher.

For vital infrastructures, the NCSC operates a platform on which, in collaboration with the intelligence service, “situation information” is shared. In addition, the NCSC provides “technical first aid” in the event of incidents.

Sources

The history: