{"id":7301,"date":"2023-07-11T09:00:00","date_gmt":"2023-07-11T09:00:00","guid":{"rendered":"https:\/\/www.securitytoday.de\/2026\/04\/02\/post_id-3578\/"},"modified":"2026-05-10T19:05:55","modified_gmt":"2026-05-10T19:05:55","slug":"moveit-attack-2023-what-the-largest-supply-chain-hack-of-the-year-teaches-us","status":"publish","type":"post","link":"https:\/\/www.securitytoday.de\/en\/2023\/07\/11\/moveit-attack-2023-what-the-largest-supply-chain-hack-of-the-year-teaches-us\/","title":{"rendered":"MOVEit Attack 2023: What the Largest Supply-Chain Hack of the Year Teaches Us"},"content":{"rendered":"<p><strong>In May and June 2023, the Russian-speaking hacker group Clop exploited a zero-day vulnerability in MOVEit Transfer, stealing data from an estimated 2,500+ organizations worldwide. The MOVEit attack is the largest supply-chain attack on file transfer software to date  &#8211;  and a lesson in third-party risks.<\/strong><\/p>\n<h2>TL;DR<\/h2>\n<ul>\n<li><strong>Zero-Day in MOVEit Transfer:<\/strong> SQL injection vulnerability (CVE-2023-34362) allowed unauthorized data access.<\/li>\n<li><strong>Clop group:<\/strong> Russian-speaking ransomware group that focuses on data extortion rather than encryption.<\/li>\n<li><strong>2,500+ victims:<\/strong> Including U.S. federal agencies, BBC, British Airways, TK Maxx, and many others.<\/li>\n<li><strong>No encryption:<\/strong> Clop stole data but did not encrypt it  &#8211;  the attack aimed at extortion through data publication.<\/li>\n<li><strong>Lesson in third-party risks:<\/strong> Many victims did not operate MOVEit themselves but used it through service providers.<\/li>\n<\/ul>\n<h2>The Attack: Technically Explained<\/h2>\n<p>CVE-2023-34362 is an SQL injection vulnerability in the web application of MOVEit Transfer. The Clop group exploited this vulnerability to access the database, exfiltrate data, and leave behind so-called web shells that enable persistent access.<\/p>\n<p>Particularly insidious: Progress Software patched the vulnerability quickly (May 31, 2023), but the attackers had already had access for weeks. Many victims only found out weeks later that they were affected  &#8211;  because MOVEit was running with their service provider.<\/p>\n<h2>Why So Many Victims?<\/h2>\n<p>MOVEit Transfer is managed file transfer software used by many companies and agencies for secure file support. Crucially: Many of the victims had not installed MOVEit themselves but used it through specialized payroll and HR service providers like Zellis or PBI Research Services.<\/p>\n<p>The classic supply-chain problem: Even if a company has its own IT secure, an attack on a service provider can compromise the same data. British Airways and the BBC were affected because their HR service provider Zellis used MOVEit.<\/p>\n<h2>What Companies Must Learn From This<\/h2>\n<p><strong>Maintain a third-party inventory:<\/strong> Which service providers have access to sensitive data? What tools do they use? Without this inventory, responding to MOVEit-like incidents is hardly possible.<\/p>\n<p><strong>Contractual obligations:<\/strong> Security incidents must be anchored in SLAs and data processing agreements (AVV) with concrete reporting obligations and response times.<\/p>\n<p><strong>Data minimization:<\/strong> What is not stored or transferred cannot be stolen. The GDPR requirement for data minimization is also a security principle here.<\/p>\n<p><strong>Patch monitoring for suppliers:<\/strong> Critical CVEs in software from key suppliers must be actively monitored  &#8211;  not waited for the service provider to proactively inform.<\/p>\n<h2>Key Facts at a Glance<\/h2>\n<p><strong>Affected organizations:<\/strong> Approximately 2,500+ worldwide (as of August 2023)<\/p>\n<p><strong>Attackers:<\/strong> Clop (TA505)  &#8211;  Russian-speaking group known for data theft extortion<\/p>\n<p><strong>CVE:<\/strong> CVE-2023-34362 (CVSS 9.8  &#8211;  critical)<\/p>\n<p><strong>Angriffsmethode:<\/strong> SQL injection \u2192 data exfiltration \u2192 web shell \u2192 extortion<\/p>\n<p><strong>Patch available:<\/strong> May 31, 2023  &#8211;  but the attack had already occurred<\/p>\n<p><strong>Fact:<\/strong> 77 percent of ransomware victims who paid the ransom were attacked again, according to Cybereason.<\/p>\n<p><strong>Fact:<\/strong> According to the Allianz Risk Barometer 2025, cyberattacks are the greatest business risk worldwide.<\/p>\n<h2>Frequently Asked Questions<\/h2>\n<h3>What is MOVEit Transfer?<\/h3>\n<p>MOVEit Transfer is a managed file transfer solution from Progress Software used by companies and agencies for secure, traceable file support. It is widely used enterprise software.<\/p>\n<h3>How can you check if you are affected?<\/h3>\n<p>Check if MOVEit Transfer is used directly or through service providers. Progress has published Indicators of Compromise (IoCs). CISA also offers guidance. Affected service providers should actively provide information.<\/p>\n<h3>Did Clop demand ransom?<\/h3>\n<p>Clop operates without classic ransomware encryption  &#8211;  instead, they threaten to publish the stolen data. Companies were asked to contact them; otherwise, the data will be published on the Clop leak site.<\/p>\n<h3>Are GDPR reporting obligations relevant?<\/h3>\n<p>Yes. In the event of data breaches affecting personal data, the 72-hour reporting obligation to the supervisory authority applies. Affected companies must check whether and which personal data has been leaked.<\/p>\n<h3>How do you protect against similar attacks?<\/h3>\n<p>Build third-party risk management, maintain a software inventory of all service providers, actively monitor critical CVEs, and include contractual reporting obligations in all service provider contracts.<\/p>\n<h2>Further Articles on the Topic<\/h2>\n<p>\u2192 Supply Chain Security 2026: How Companies Protect Their Software Supply Chain<\/p>\n<p>\u2192 Third-Party Risk Management: The Risk Lurks Everywhere<\/p>\n<h2>Further Reading in the Network<\/h2>\n<p>Cloud Security Current: <a href=\"https:\/\/www.cloudmagazin.com\" target=\"_blank\" rel=\"noopener\">cloudmagazin.com<\/a><\/p>\n<p>IT Risks for Executives: <a href=\"https:\/\/www.digital-chiefs.de\" target=\"_blank\" rel=\"noopener\">digital-chiefs.de<\/a><\/p>\n<h2>Related Articles<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/02\/18\/post_id-3523\/\">Ransomware 2026: Incident Response in the First 60 Minutes<\/a><\/li>\n<li><a href=\"https:\/\/www.securitytoday.de\/en\/2025\/12\/11\/post_id-3617\/\">Cybersecurity 2025: The Year in Review  &#8211;  Incidents, Trends, Lessons<\/a><\/li>\n<li><a href=\"https:\/\/www.securitytoday.de\/en\/2024\/02\/15\/post_id-3587\/\">Ransomware 2024: New Tactics, Bigger Targets, Harder Negotiations<\/a><\/li>\n<\/ul>\n<p style=\"text-align: right;\"><em>Header Image Source: Pexels \/ Tima Miroshnichenko<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"In May and June 2023, the Russian-speaking hacker group Clop exploited a zero-day vulnerability in MOVEit Transfer, stealing data from an estimated 2,500+ organizations worldwide. The MOVEit attack is the largest supply-chain attack on file transfer software to date &#8211; and a lesson in third-party risks. TL;DR Zero-Day in MOVEit Transfer: SQL injection vulnerability (CVE-2023-34362) [&hellip;]","protected":false},"author":50,"featured_media":3577,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"moveit attack","_yoast_wpseo_title":"MOVEit Attack 2023: What the Largest Supply-Chain Hack of the Year Teaches Us","_yoast_wpseo_metadesc":"MOVEit attack 2023: Learn how the massive supply-chain breach exposed 2,500+ organizations and discover key steps to protect your data\u2014act now.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"","_yoast_wpseo_twitter-image-id":0,"_evm_translation_lang":"","featured_post":0,"featured_post_sortierung":0,"_wp_old_slug":["post_id-3578"],"footnotes":""},"categories":[251],"tags":[233],"class_list":["post-7301","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-ransomware"],"evm_reading_time_minutes":5,"wpml_language":"en","wpml_translation_of":3578,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/7301","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/50"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=7301"}],"version-history":[{"count":3,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/7301\/revisions"}],"predecessor-version":[{"id":10035,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/7301\/revisions\/10035"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/3577"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=7301"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=7301"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=7301"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}