The Weekend the World's Files Were Stolen: MOVEit and Cl0p
The Weekend the World’s Files Were Stolen: MOVEit and Cl0p
The alerts started arriving on the morning of May 31, 2023 — not at one organization, but at hundreds simultaneously. System administrators logging into their MOVEit Transfer dashboards found unfamiliar administrator accounts nobody had created, file access logs showing systematic data downloads, and buried in their web server directories — a previously unknown .aspx file.
For organizations that caught it quickly, the horror was in the realization that there was nothing left to stop. The attacker was already gone. The data was already gone. Cl0p had come and gone like a ghost, and the only question remaining was when the group’s dark web leak site would begin publishing the proof.
This was not a conventional ransomware attack. There were no encrypted files, no ransom note on the desktop. Cl0p had done something more sophisticated: found a vulnerability giving them a master key to one of the world’s most widely deployed enterprise file transfer platforms, waited for the moment of maximum impact, and turned that key in every lock simultaneously — over a single American holiday weekend.
By year’s end, security firm Emsisoft’s tally would reach 2,611 organizations and 77 million individuals whose data had been exposed. No operation in cybersecurity history had compromised so many organizations through a single vulnerability in such a compressed window. The software was MOVEit Transfer, made by Progress Software of Waltham, Massachusetts. The vulnerability was CVE-2023-34362. The group was Cl0p.
Threat Actor Profile: Cl0p (TA505)
Designation: Cl0p; tracked as TA505 (Proofpoint), LACE TEMPEST (Microsoft), Dungeon Spider (CrowdStrike), FIN11 (Mandiant)
Attribution: Russian-speaking cybercriminal organization; multiple members arrested in Ukraine in June 2021 by Ukrainian National Police in cooperation with Interpol, but core operations continued uninterrupted
Origin: Russia/Ukraine; likely operating under Russian government tolerance
Primary Mission: Large-scale financial extortion through data theft and threatened public exposure; specialized focus on Managed File Transfer (MFT) software as a preferred attack vector
Known Tradecraft: Zero-day exploitation of enterprise software, custom web shell deployment, bulk data exfiltration, double-extortion via leak site, mass exploitation campaigns timed to maximize victim count before detection, patient zero-day hoarding
Notorious Operations:
- Accellion FTA (2020–2021): Cl0p exploited multiple zero-days in Accellion’s legacy File Transfer Appliance, compromising the Reserve Bank of New Zealand, the University of California, law firm Jones Day, and others. Established Cl0p’s MFT targeting pattern.
- GoAnywhere MFT (2023): In February 2023 — months before MOVEit — Cl0p exploited CVE-2023-0669, hitting 130 organizations including Procter & Gamble, Hitachi Energy, and the City of Toronto. The dress rehearsal.
- MOVEit Transfer (2023): The operation described in this article — the most numerically impactful single exploitation campaign in cybersecurity history as of 2024.
MOVEit Transfer: The Invisible Infrastructure of Enterprise File Exchange
MOVEit Transfer is what the industry calls a Managed File Transfer (MFT) platform — the industrial plumbing of large-organization data exchange. It is the system a hospital uses to send patient records to an insurance company, that a payroll processor uses to transmit employee data to client firms, that a government agency uses to receive tax documents from citizens. MFT software exists because email is too insecure, FTP is too primitive, and consumer cloud storage lacks the compliance controls regulated industries demand.
This is precisely what makes MFT software such an attractive target. The design purpose of MOVEit is to aggregate sensitive data transfers in a single accessible platform. Files flowing through a corporate MOVEit instance on any given day might include payroll data for 50,000 employees, healthcare claims for millions of patients, and contract documents from dozens of organizations. Compromising MOVEit doesn’t give an attacker one organization’s data — it can give them the data of every organization trusting MOVEit to handle their sensitive transfers.
Cl0p understood this. It had demonstrated as much with Accellion and GoAnywhere.
The Vulnerability: CVE-2023-34362
CVE-2023-34362 is a critical SQL injection vulnerability in MOVEit Transfer’s HTTPS-accessible web interface, carrying a CVSS score of 9.8 out of 10.0 — near-maximum severity indicating a remotely exploitable, unauthenticated vulnerability requiring no special privileges or user interaction.
SQL injection is one of the oldest vulnerability classes in web application security — perennially near the top of the OWASP Top 10. When a web form passes user-supplied input directly to database queries without proper validation, an attacker can manipulate those queries to extract data, bypass authentication, or execute operating system commands.
In CVE-2023-34362, an unauthenticated attacker could send a specially crafted HTTP request to any MOVEit Transfer server and inject SQL commands into the backend database — gaining administrative access, reading and exfiltrating all stored data, and creating persistent administrator accounts.
The vulnerability had existed in the codebase for an unknown period. Cl0p’s timeline, reconstructed by Mandiant and NCC Group from forensic artifacts, suggests the group may have discovered it as early as July 2021 — nearly two years before mass exploitation. Evidence of exploratory use appears in some victim environments from January 2023. But Cl0p didn’t use it for targeted attacks. They saved it. They refined their tooling. And when the moment came, they used it against everyone.
LEMURLOOT: The Web Shell That Did the Dirty Work
SQL injection gave Cl0p the key. LEMURLOOT was what they did with it.
After gaining administrative access via the SQL injection, Cl0p’s framework deployed a custom ASP.NET web shell — a malicious script placed in a directory accessible to the MOVEit web server, given inconspicuous filenames like human2.aspx to blend with legitimate application files. Mandiant named the tool LEMURLOOT and published the first detailed technical analysis.
LEMURLOOT was purpose-built for the MOVEit environment with capabilities indicating significant preparation time:
- File enumeration and exfiltration: Listed and downloaded all files stored on the MOVEit server — potentially years of sensitive transfers.
- Azure Blob Storage credential theft: Many MOVEit deployments store files in Microsoft Azure Blob Storage. LEMURLOOT specifically extracted Azure storage credentials, providing a secondary exfiltration path that bypassed local detection.
- Administrator account creation: Created persistent rogue admin accounts (names like
Health Check Service) that survived even if the original injection vector was patched. - Database access: Directly queried the MOVEit backend database, providing a complete picture of all file transfers, user accounts, and stored metadata.
LEMURLOOT communicated with Cl0p’s command-and-control over HTTPS, authenticated by a hardcoded header value to prevent use by other threat actors, and designed to blend with normal MOVEit server traffic.
The Memorial Day Blitz
The timing of Cl0p’s mass exploitation campaign was not accidental. Memorial Day weekend 2023 — May 27–29 — is the American holiday weekend marking the unofficial start of summer. Corporate IT teams are understaffed. Security operations centers run on holiday schedules. System administrators are at barbecues, not watching dashboards.
Forensic evidence from victim environments, compiled by Mandiant, Huntress, and Rapid7, shows mass automated exploitation beginning the evening of May 27 and continuing through May 29. Cl0p’s framework scanned and attacked thousands of internet-facing MOVEit servers in rapid succession — a programmatic sweep, a digital combine harvester cutting across the entire crop in a single pass. Each compromised server received LEMURLOOT; each deployment exfiltrated what it could find. The automation was such that Cl0p’s operators may not have known the specific contents of data stolen from each victim until after the campaign concluded.
On June 1, 2023, Progress Software disclosed CVE-2023-34362 and released a patch. By then, the exploitation was done. Patching stopped future attacks; it could not undo the exfiltration that had already happened.
The Victims: A Who’s Who of Global Enterprise
The breadth of the victim list reflected MOVEit’s enterprise deployment — and its heavy use by managed service providers (MSPs) and payroll processors created a supply chain amplification effect: compromising one MSP’s MOVEit instance could expose the data of hundreds of that MSP’s clients.
Confirmed victims included: US federal agencies (Department of Energy entities, Department of Labor); state governments (Oregon DMV — 3.5M records, Louisiana DMV — 6M records, Colorado Medicaid — 4M records); global corporations (Shell, British Airways, the BBC, Boots, and Aon — many via their payroll provider Zellis, whose single MOVEit breach instantly propagated to all Zellis clients); and healthcare and financial services organizations across multiple countries.
The cascading effect through service providers was the defining characteristic of the campaign’s scale. Hundreds of the 2,611 compromised organizations had never heard of MOVEit — their vendors were using it to handle their data without their direct knowledge.
The Extortion Model
Cl0p’s operational model departed from the ransomware playbook: no ransomware, no encrypted files. The attack was purely data theft and extortion. In the weeks following the campaign, Cl0p began adding victim names to its dark web leak site, offering a choice: negotiate payment, or have your stolen data published. The group gave victims 90-day deadlines — calibrated to give large organizations time to assemble crisis and legal teams.
Extortion demands were not publicly disclosed in most cases but were estimated in the millions for major corporate victims. The group reportedly told government agencies it would not publish their data — a tactical calculation, since no government entity can legally pay a ransomware group. The vast majority of confirmed victims did not pay. By late 2023, security analysts estimated Cl0p’s revenue from the MOVEit campaign at $75–100 million — substantial, but a fraction of the $1 billion in total damage inflicted across affected organizations.
The Pattern: Cl0p’s MFT Obsession
The MOVEit campaign was the third act of a deliberate strategy. Cl0p has recognized that MFT software occupies a unique position: it aggregates sensitive file transfers across organizations, it is internet-facing by design, it is heavily trusted and lightly monitored, and it is used disproportionately in regulated industries — healthcare, finance, government — where data has maximum extortion value. A zero-day in an MFT product, exploited at mass scale, delivers an optimal ratio of exploitation effort to data value.
The group operates what appears to be a zero-day development program specifically targeting MFT software — discovering vulnerabilities, holding them for months or years, then deploying in sudden mass campaigns timed to maximize victim count before detection occurs. Accellion (2020–21), GoAnywhere (February 2023), MOVEit (May 2023): the pattern is unmistakable.
Legacy: The Reckoning for File Transfer Security
Progress Software released emergency patches and subsequently disclosed additional MOVEit vulnerabilities as researchers energized by the crisis reviewed the codebase. CISA and NCSC (UK) issued joint guidance recommending organizations limit internet-facing exposure of MFT interfaces, enforce IP allowlisting, conduct regular web directory integrity checks, and implement robust logging for anomalous file access.
Supply chain security for MFT entered mainstream enterprise security discussions for the first time. Procurement teams began asking whether vendor file transfer infrastructure could expose their data — a question rarely asked before.
The campaign’s deeper lesson: MOVEit’s marketing touted its security features — encryption, compliance certifications, audit logging — and those features were real. But they said nothing about the security of the underlying web application code. “We use MOVEit, so our file transfers are secure” proved to be a belief that Memorial Day weekend shattered.
Cl0p remains active. No indictments tied to the MOVEit campaign have resulted in arrests of the core operators, believed to reside in Russia beyond the reach of Western law enforcement. The next zero-day is already being hoarded somewhere.
Attack Chain: Cl0p MOVEit Transfer Campaign
graph TD
A["Zero-Day Discovery\nCl0p identifies CVE-2023-34362\n~Jan 2023 or earlier"] --> B["Weaponization\nDevelop LEMURLOOT web shell\nBuild automated exploitation framework"]
B --> C["Reconnaissance\nScan internet for MOVEit Transfer\nservers via Shodan/Censys"]
C --> D["Memorial Day Timing\nMay 27-29, 2023\nHoliday weekend — reduced SOC staffing"]
D --> E["Initial Access\nHTTP request to MOVEit web app\nSQL injection via CVE-2023-34362"]
E --> F["Privilege Escalation\nSQL injection grants DB admin access\nCreate rogue MOVEit admin account"]
F --> G["Web Shell Deployment\nDrop LEMURLOOT (human2.aspx)\nin MOVEit web root directory"]
G --> H["Credential Harvesting\nLEMURLOOT extracts Azure Blob\nStorage credentials from config"]
H --> I["Data Exfiltration\nList all stored files\nDownload via LEMURLOOT\nExfil via Azure if configured"]
I --> J["2,611 Organizations Compromised\n77M+ individuals' data stolen\nUS gov, UK corps, global MSPs"]
J --> K["Cl0p Leak Site\nVictims listed with 90-day deadline\nPay or data published publicly"]
K --> L["Most Victims Refuse\nGov entities cannot pay\nMany corps decline\n~$75-100M estimated Cl0p revenue\n$1B+ total damage across victims"]
style A fill:#1a1a2e,color:#e0e0e0
style E fill:#c0392b,color:#fff
style G fill:#c0392b,color:#fff
style I fill:#c0392b,color:#fff
style J fill:#8e44ad,color:#fff
style L fill:#2c3e50,color:#e0e0e0