Introduction
TA505 is a cyber criminal group that has been active since at least 2014. TA505 is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving Clop. Proofpoint TA505 Sep 2017 Proofpoint TA505 June 2018 Proofpoint TA505 Jan 2019 NCC Group TA505 Korean FSI TA505 2020
Activities and Tactics
Targeted Sectors: Technology, Healthcare, Financial, Government, Education, Finance, Health, Retail, Hospitality
Country of Origin: 🇷🇺 Russia
Risk Level: Critical
First Seen: 2019
Last Activity: 2025
Suspected Victims: Australia, Canada, Czech Republic, Germany, Hungary, India, Japan, Romania, Serbia, Singapore…
Notable Campaigns
MOVEit Transfer campaign timeline
Curated Intelligence MOVEit Transfer Tracking tracks 74 public events for the 2023 MOVEit Transfer hacking campaign attributed to CL0P/Lace Tempest.
| Date | Type | Event | Source |
|---|---|---|---|
| 2023-05-31 | Resource | Initial Vendor Advisory, IOCs | community.progress.com |
| 2023-06-01 | Resource | IOCs, Sigma & YARA Rules by Nextron Systems | twitter.com/cyb3rops |
| 2023-06-01 | Capabilities | Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability since 27th Mary 2023, IOCs | rapid7.com |
| 2023-06-01 | Infrastructure | GreyNoise has observed scanning activity for the login page of MOVEit Transfer located at /human.aspx as early as March 3rd, 2023 | greynoise.io |
| 2023-06-01 | Resource | CrowdStrike shared FQL rules | r/crowdstrike |
| 2023-06-01 | Capabilities | Huntress analysis of the MOVEit Transfer vulnerability, IOCs | huntress.com |
| 2023-06-01 | Capabilities | TrustedSec MOVEit Transfer campaign analysis, IOCs | trustedsec.com |
| 2023-06-02 | Resource | YARA rules for the Web Shell | github.com/AhmetPayaslioglu |
| 2023-06-02 | Resource | Sigma rule for MOVEit exploitation | github.com/tsale |
| 2023-06-02 | Resource | MOVEit Web Shell Checker | github.com/ZephrFish |
| 2023-06-02 | Information | CVE-2023-34362 in MOVEit Transfer added to the NIST National Vulnerability Database | nvd.nist.gov |
| 2023-06-02 | Capabilities | Mandiant campaign analysis, IOCs, YARA rules | mandiant.com |
| 2023-06-02 | Information | CVE-2023-34362 in MOVEit Transfer added to the CISA Known Exploited Vulnerability (KEV) Database | cisa.gov |
| 2023-06-02 | Adversary | Microsoft formally attributed the MOVEit Transfer campaign to the threat group called CL0P (aka Lace Tempest, FIN11, TA505) | twitter.com/MsftSecIntel |
| 2023-06-02 | Victim | The University of Rochester mentions a “data breach, which resulted from a software vulnerability in a product provided by a third-party file transfer company, has affected the University and approximately 2,500 organizations worldwide.” | rochester.edu |
| 2023-06-05 | Resource | Identifying Data Exfiltration in MOVEit Transfer Investigations | crowdstrike.com |
| 2023-06-05 | Victim | Austrian Financial Market Authority (FMA) files stolen from MOVEit software | ots.at |
| 2023-06-05 | Victim | Zellis’ MOVEit Transfer breached, impacting British Airways, BBC, Boots, and Aer Lingus, potentially others | therecord.media |
| 2023-06-05 | Adversary | Clop ransomware claims responsibility for MOVEit extortion attacks via a ransom note on their leak site | bleepingcomputer.com |
| 2023-06-06 | Victim | University of Rochester and the Government of Nova Scotia are the first known MoveIT victims in North America | therecord.media |
| 2023-06-06 | Capabilities | Unit42’s analysis of MOVEit attacks, also observed attacks starting on 27 May, additional IOCs | unit42.paloaltonetworks.com |
| 2023-06-07 | Adversary | Clop ransomware tells those affected to email them before 14 June or stolen data will be published | BBC |
| 2023-06-07 | Victim | BORN Ontario announces MOVEit breach | bornontario.ca |
| 2023-06-07 | Adversary/Capabilities | FBI & CISA joint advisory on CL0P, details about other TA505 campaigns, and other incidents such as the GoAnywhere attacks, IOCs, YARAs | cisa.gov |
| 2023-06-07 | Victim/Capabilities | SentinelOne’s campaign analysis, hunting queries, IOCs | sentinelone.com |
| 2023-06-07 | Victim | Extreme Networks declares having learned that their instance of MOVEit Transfer tool was impacted by a malicious act | computerweekly.com |
| 2023-06-08 | Capabilities | Kroll’s Timeline of the campaign (dating it back to 2021), IOCs | kroll.com |
| 2023-06-08 | Victim | Synlad issues a press release acknowledging being a victim of Cl0p’s MOVEit campaign | synlab.fr |
| 2023-06-09 | Resource | Progress Software issues a new patch covering new vulnerabilities (CVE-2023-35036) | progress.com |
| 2023-06-09 | Victim | Illinois government among victims of global ransomware attack | chicagotribune.com |
| 2023-06-09 | Victim | Minnesota Department of Education hit by cybersecurity attack | cbsnews.com |
| 2023-06-09 | Victim | HSE states no more than 20 people’s data breached in cyber-attack | hse.ie |
| 2023-06-09 | Capabilities | Horizon3AI’s analysis of the MOVEit Transfer campaign, accompanied by a Proof-of-Concept (PoC) for CVE-2023-34363, and IOCs | horizon3.ai |
| 2023-06-09 | Victim | Landal informs guests about a data breach (MOVEit) | landal.com |
| 2023-06-12 | Victim | Ofcom (the UK’s communications regulator) and Ernst & Young (EY), one of the ‘Big 4’ accounting firms | bbc.co.uk |
| 2023-06-13 | Victim | Transport for London (TfL) is warning 13,000 staff - half its entire workforce - that their details have been stolen by CL0P, via following the Zellis payroll outsourcer MOVEit Transfer hack | twitter.com/gazthejourno |
| 2023-06-13 | Victim | Prudential Assurance Malaysia Berhad (PAMB) and Prudential BSN Takaful Berhad (PruBSN) can confirm that we are among many companies around the world that have been affected by the global MOVEit data-theft attack | prudential.com.my |
| 2023-06-13 | Victim | State of Missouri Issues Statement on Recent Global Cyberattack | oa.mo.gov |
| 2023-06-14 | Victim | Victims Listed on CL0P’s leak site: 1st Source Bank, Datasite LLC, First National Bankers Bankshares Inc (FNBB), Green Shield (health services organization in Canada, only payer-provider in Canada), Heidelberger, Leggett & Platt, National Student Clearinghouse, ÖKK Kranken- und Unfallversicherungen AG, Putnam Investments, United HealthCare Services Inc, Shell, and the University of Georgia | CL0P Data Leak Site |
| 2023-06-14 | Victim | Johns Hopkins University | Baltimore Sun |
| 2023-06-15 | Victim | Victims added to CL0P’s leak site: healthequity[.]com, synlab[.]fr, cuanswers[.]com, navaxx[.]lu, delawarelife[.]com, 316fiduciaries[.]com, enzo[.]com, careservicesllc[.]com, genericon[.]at, brault[.]us, aplusfcu[.]org, barharbor[.]bank, powerfi[.]org, eastwestbank[.]com | CL0P Data Leak Site |
| 2023-06-15 | Victim | BleepingComputer receives PR communications from victims of CL0P | bleepingcomputer.com |
| 2023-06-15 | Victim | US Department of Energy: Oak Ridge Associated Universities and Waste Isolation Pilot Plant (New Mexico) announce MOVEit breaches | federalnewsnetwork.com |
| 2023-06-15 | Resource | Progress Software issues an advisory of a 3rd vulnerability (No CVE or patch) | progress.com |
| 2023-06-15 | Victim | Louisiana Office of Motor Vehicles | la.gov |
| 2023-06-16 | Resource | Progress Software issues fix of 3rd vulnerability (No CVE) | progress.com |
| 2023-06-16 | Victim | Oregon Department of Transportation (ODOT) announces MOVEit breach | oregon.gov |
| 2023-06-16 | Victim | marti[.]com (Marti Group, Switzerland, Construction), pragroup[.]no (PRA Group, Norway, Finance (Debt)), columbiabank[.]com / umpquabank[.]com (Umpqua Bank, USA, Finance), umsystem[.]edu (University Of Missouri System, USA, Education, icsystem[.]com (IC System, USA, Finance (Debt)), arburg[.]com (ARBURG, Germany, Manufacturing (Plastics processing machines)), bostonglobe[.]com (Boston Globe, USA, Newspaper), cncbinternational[.]com (China CITIC Bank International Limited, Hong Kong, Finance), stiwa[.]com (Stiwa Group, Austria, Automation), cegedim[.]com (Cegedim, France, Tech/outsourcing services), aon[.]com (Aon PLC, Ireland, Professional Services), nuance[.]com (Nuance, USA, AI Tech) | CL0P Data Leak Site |
| 2023-06-16 | Adversary | CL0P claims on their leak site they “deleted all government data,” are “only financial motivated [sic],” and, “do not care anything about politicis [sic]” | CL0P Data Leak Site |
| 2023-06-16 | Capabilities | CrowdStrike reports on a second critical MOVEit vulnerability (CVE-2023-35708) being exploited in the wild | r/crowdstrike |
| 2023-06-19 | Victim | palig.com (Panamerican), gesa.com (Gesa - USA - Finance (Credit Union)), telos.com (Telos - USA - Cyber Security), scu.edu (Santa Clara University - USA), skillsoft.com (Skillsoft - USA - Training programs), creelighting.com (IDEAL Industries Inc), nortonlifelock.com (Norton), stockmanbank.com (Stockman Bank - Montana, USA - Finance), baesman.com (Customer Relationship Management (CRM) software - USA), emsshi.com (Electronic Management Support and Services, Inc. - Hawaii, USA), cbeservices.com (CBE Services - Australia - Construction), zurich.com.br (Zurich Seguros - Brazil - Insurance) | CL0P Data Leak Site |
| 2023-06-21 | Victim | Cegedim didn’t find any sign of compromise until June 9th, when they discovered new IOCs | lemagit.fr |
| 2023-06-21 | Adversary | CL0P wrote a statement saying the BBC is spreading propaganda for their own interest. They also claim they have deleted data from “30 companies that are government” and reasserted they are all about business and not politics. | CL0P Data Leak Site |
| 2023-06-23 | Victim | andesaservices.com (Andesa Services, Insurance, US), sony.com (Sony, Technology/Media, Japan), ey.com (Ernst & Young, Consulting, UK), pwc.com (PricewaterhouseCoopers, Consulting, UK), guscanada.ca (Global University Systems (GUS) Canada, Education, Canada) | CL0P Data Leak Site |
| 2023-06-23 | Victim | Harris Health System | abc13.com |
| 2023-06-23 | Victim | NYC DoE | ny.chalkbeat.org |
| 2023-06-26 | Victim | Wilton Reassurance Company | apps.web.maine.gov |
| 2023-06-27 | Victim | MSAMLIN[.]COM, WERUM[.]COM, SE[.]COM (Schneider Electric), SIEMENS-ENERGY[.]COM, UCLA[.]EDU (University of California, Los Angeles), ABBVIE[.]COM, PROSKAUER[.]COM, KIRKLAND[.]COM (KIRKLAND & ELLIS LLP), KOTAKLIFE[.]COM, STARMOUNTLIFE[.]COM, JACKSON[.]COM, CARESOURCE[.]COM, SAPIENS[.]COM, ENSTARGROUP[.]COM, COGNIZANT[.]COM, DELTADENTAL[.]COM, CPIAI[.]COM, DARLINGCONSULTING[.]COM | CL0P Data Leak Site |
| 2023-06-27 | Victim | Allegiant Air discloses exposure to MOVEit breach on 1 June 2023 | twitter.com/bettercyber |
| 2023-06-28 | Victim | Bloomberg reports that US Department of Health and Human Services (HHS) is impacted by the MOVEit breach due to a third-party incident. Records from more than 15 million compromised. | bloomberg.com |
| 2023-06-29 | Victim | KLGATES[.]COM, CITYNATIONAL[.]COM, HARRINGTONCOMPANY[.]COM, SOVOS[.]COM, RHENUS[.]GROUP, VERICAST[.]COM, IRONBOW[.]COM, DIGITALINSIGHT[.]COM, FISGLOBAL[.]COM, HORNBECKOFFSHORE[.]COM, CLICKSGROUP[.]CO[.]ZA, TRELLISWARE[.]COM, ENCORECAPITAL[.]COM | CL0P Data Leak Site |
| 2023-07-04 | Information | Infosecurity Magazine Podcast on the CL0P campaign | infosecurity-magazine.com |
| 2023-07-06 | Information | Progress Software has released a Service Pack to address three newly disclosed vulnerabilities (CVE-2023-36934, CVE-2023-36932, CVE-2023-36933) in MOVEit Transfer | community.progress.com |
| 2023-07-07 | Information | Huntress’ Joe Slowik blogs about Reflecting on the MOVEit Exploitation | huntress.com |
| 2023-07-10 | Victim | DURR[.]COM, BARRICK[.]COM, BRADYID[.]COM, TDECU[.]ORG, UNITEDREGIONAL[.]ORG, KYBURZDRUCK[.]CH, CIENA[.]COM, NORGREN[.]COM, MERATIVE[.]COM, QUORUMFCU[.]ORG, TRANSPERFECT[.]COM, NEWERATECH[.]COM, BANKWITHUNITED[.]COM, CADENCEBANK[.]COM, WOLTERSKLUWER[.]COM, NETSCOUT[.]COM, PAYCOR[.]COM, ENERGYTRANSFER[.]COM, DELARUE[.]COM, TDAMERITRADE[.]COM, L8SOLUTIONS[.]CO[.]UK, UOFLHEALTH[.]ORG, KERNAGENCY[.]COM, FISCDP[.]COM, MARYKAY[.]COM, CYTOMX[.]COM, USG[.]EDU, AMERICANNATIONAL[.]COM, BCDTRAVEL[.]COM, AUTOZONE[.]COM, CROWE[.]COM | CL0P Data Leak Site |
| 2023-07-10 | Victim | Deutsche Bank, Postbank, Comdirect, ING via Majorel | handelsblatt.com |
| 2023-07-10 | Adversary | CL0P writes about an exchange they had with TD Ameritrade. The victim seemingly tried to negotiate with CL0P and offered $4 million USD to pay the ransom. The initial ransom demand is currently unknown, but likely higher. CL0P confirms that they stole the data from a “file transfer” server (MOVEit) and claims to have stolen “262gb + archives”. | CL0P Data Leak Site |
| 2023-07-10 | Capabilities | Sophos analyzes CL0P’s 2023 data extortion campaigns targeting GoAnywhere, PaperCut, and MOVEit servers | news.sophos.com |
| 2023-07-11 | Victim | RADISSONHOTELSAMERICAS[.]COM, WESTAT[.]COM, JPRMP[.]COM, FMFCU[.]ORG, JHU[.]EDU, VISIONWARE[.]CA, UMASSMED[.]EDU, VRM[.]DE, SMA[.]DE, RICOHACUMEN[.]COM, EMERSON[.]COM, TOMTOM[.]COM, BAM[.]COM[.]GT, PIONEERELECTRONICS[.]COM, RITEAID[.]COM, ARVATO[.]COM, SCCU[.]COM, AGILYSYS[.]COM, KALEAERO[.]COM, CONSOLENERGY[.]COM | CL0P Data Leak Site |
| 2023-07-12 | Victim | RADIUSGS[.]COM, CLEARESULT[.]COM, HONEYWELL[.]COM, NASCO[.]COM, JACKENTERTAINMENT[.]COM, AINT[.]COM, AMCTHEATRES[.]COM, SLB[.]COM, GRIPA[.]ORG | CL0P Data Leak Site |
| 2023-07-12 | Victim | Tennet | security.nl |
| 2023-07-14 | Victim | Jones Lang LaSalle (JLL) Human Resources | twitter.com |
| 2023-07-19 | Victim | Updated Additional Victims: PAYCOM[.]COM, MOTHERSON[.]COM, ASPENTECH[.]COM, DISCOVERY[.]COM, SHUTTERFLY[.]COM, ROCHESTER[.]EDU, YAKULT[.]COM[.]PH, UFCU[.]ORG, VOSS[.]NET, JTI[.]COM, REPSOLSINOPECUK[.]COM, PINNACLETPA[.]COM, ARIETISHEALTH[.]COM, SCHNABEL-ENG[.]COM, MYCWT[.]COM, HESS[.]COM, PRGX[.]COM, GRACE[.]COM, NOTABLEFRONTIER[.]COM, TJX[.]COM, VITESCO-TECHNOLOGIES[.]COM, VALMET[.]COM, FMGL[.]COM[.]AU, DESMI[.]COM, CFINS[.]COM, COMPUCOM[.]COM, SIERRAWIRELESS[.]COM, RCI[.]COM, AA[.]COM, JONASFITNESS[.]COM, COMREG[.]IE, SMC3[.]COM, ITT[.]COM, ALLEGIANTAIR[.]COM, OFCOM[.]ORG[.]UK, ESTEELAUDER[.]COM, BLUEFIN[.]COM, VENTIVTECH[.]COM, DMA[.]US, PWCCLINETSANDDOCUMENTS[.]COM | CL0P Data Leak Site |
| 2023-07-19 | Victim | CL0P created a dedicated domain to publish the data they claim they stole from the PwC MOVEit server | CL0P Data Leak Site |
Tactics, Techniques, and Procedures (TTPs)
Ransomware Vulnerability Matrix observations
| Category | Vendor | Product | CVEs |
|---|---|---|---|
| File Transfer Servers, Group Profile | Accellion | Accellion File Transfer Appliance | CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104 |
| File Transfer Servers, Group Profile | Cleo | Cleo VLTrader, Harmony, LexiCom | CVE-2024-55956 |
| File Transfer Servers, Group Profile | Fortra | GoAnywhere Managed File Transfer | CVE-2023-0669 |
| Applications, Group Profile | Oracle | E-Business | CVE-2025-61882 |
| Group Profile | PaperCut | PaperCut Application Server | CVE-2023-27350, CVE-2023-27351 |
| File Transfer Servers, Group Profile | Progress Software | MOVEit | CVE-2023-34362 |
| File Transfer Servers, Group Profile | SolarWinds | SolarWinds Serv-U FTP | CVE-2021-35211 |
| Applications | SysAid | SysAid On-Prem | CVE-2023-47246 |
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
Ransomware Tool Matrix observations
| Category | Observed tools |
|---|---|
| OffSec | Cobalt Strike, PowerShell Empire, TinyMet |
Attribution and Evidence
Country of Origin: Russia Additional attribution information pending cataloguing.
References
[1] MITRE ATT&CK MITRE ATT&CK entry [2] Proofpoint TA505 Sep 2017 [3] Proofpoint TA505 June 2018 [4] Proofpoint TA505 Jan 2019 [5] NCC Group TA505 [6] Korean FSI TA505 2020