Energy giant Shell has been added to the list of organisations subject to a cyber attack in the wake of a widespread compromise of Accellion’s legacy File Transfer Appliance (FTA) product – used to securely transfer large data files within the business.
The incident, which was quietly disclosed last week, saw the organisation compromised through a previously reported vulnerability in the FTA that resulted in a spate of attacks against users including aviation specialist Bombardier, cyber security firm Qualys, Singaporean telco Singtel, and many others.
Shell said that on learning of the incident, it moved rapidly to address the vulnerabilities and has begun an investigation. It said there was no evidence of any impact on its core IT systems, as the FTA service is isolated from the rest of its infrastructure.
“The ongoing investigation has shown that an unauthorised party gained access to various files during a limited window of time,” said the firm in a statement. “Some contained personal data and others included data from Shell companies and some of their stakeholders.
“Shell is in contact with the impacted individuals and stakeholders and we are working with them to address possible risks. We have also been in contact with relevant regulators and authorities and will continue to do so as the investigation continues.
“Cyber security and personal data privacy are important for Shell and we work continuously to improve our information risk management practices. We will continue to monitor our IT systems and improve our security. We regret the concern and inconvenience this may cause affected parties.”
At the time of writing, Shell had not disclosed the precise nature of the attack, but other victims of the Accellion compromise had seen exfiltrated data published on a dark web leak site operated by the Cl0p ransomware gang – one of a small group of potentially linked actors being tracked as behind the attacks.
Mandiant has tracked the initial attackers as UNC2546, and subsequent extortion activity as UNC2582, both of which share overlaps – including IP addresses and email accounts – associated with previous FIN11, or Cl0p, operations. However, as no known victims have yet to be extorted via the Cl0p ransomware itself, merely had their data published, the precise nature of the relationship is still mysterious.
As of 1 March 2021, Accellion, assisted by FireEye Mandiant, had formally closed out the investigation into the compromise, saying that all known vulnerabilities had been remediated. As a direct result of the attacks, it has brought forward the end-of-life of the FTA product to 30 April 2021, and is now encouraging users to migrate to its unaffected Kiteworks platform.