Hackers exploited flaw in Eden Prairie firm's software in record year for ransomware attacks

Fortra software hack and that of a Massachusetts firm that struck the Minnesota Department of Education and UnitedHealthcare resulted in millions of compromised records.

September 22, 2023 at 8:55PM
FILE - This Feb 23, 2019, file photo shows the inside of a computer in Jersey City, N.J. Cybersecurity teams worked feverishly Sunday, July 4, 2021, to stem the impact of the single biggest global ransomware attack on record, with some details emerging about how the Russia-linked gang responsible breached the company whose software was the conduit. An affiliate of the notorious REvil gang, infected thousands of victims in at least 17 countries on Friday, largely through firms that remotely manage IT infrastructure for multiple customers, cybersecurity researchers said. (AP Photo/Jenny Kane, File)
Fortra, formerly HelpSystems, sold software compromised by Russian hacking group Clop. (Jenny Kane, Associated Press file/The Minnesota Star Tribune)

Fortra, an Eden Prairie-based computer security firm, had a flaw in one of its products that nobody knew about until Clop, a Russian hacking group, discovered it earlier this year.

The resulting security breach infected scores of companies nationwide — and data from millions of people was compromised. And it was just the beginning of a Russian hacking spree that would plague Minnesota.

Another software firm — this one in Massachusetts — had a flaw in a similar security product to Fortra's. Clop discovered this defect, too, fomenting an even bigger data leak that's struck at least 461,000 Minnesotans and several Minnesota companies, including UnitedHealth Group and PBI Research Services.

"It certainly seems to be an active year for these types of attacks," said Mark Lanterman, chief technology officer at Computer Forensic Services in Minneapolis. "The motivation is money, so there is little incentive to slow down."

The Clop group specializes in stealing data and threatening to sell it on the internet — so-called ransomware attacks. Clop has had a banner year, but it's far from alone in cyber extortion. Other ransomware groups have hacked the Minneapolis and Rochester school districts.

The February attack on Minneapolis schools culled the data of about 105,000 students and employees. The school district didn't pay the $1 million ransom, and student names, addresses and other sensitive information were dumped onto the dark web.

Cyber gangs have tallied a record number of ransom and extortion victims globally in 2023's first six months, according to a report by NCC Group, a cybersecurity firm that has monitored such attacks since 2020. In 2023's first half, NCC recorded a 67 % increase in ransomware incidents — a "staggering" spike.

The costs of data breaches can be staggering, too.

Individual victims — in addition to having their privacy violated — may end up battling identity theft. Companies, schools and governments can shell out millions of dollars identifying and remedying a hack.

In a recent report, IBM found that the average cost of a U.S. data breach last year was $9.44 million. And that's before expenses from litigation.

Fortra and Minneapolis-based PBI, which provides death information to insurers and pension funds, have been hit with several suits.

The price of a hack goes beyond money, too.

"One of the biggest costs is reputation damage," said Yun Hu, principal security researcher in the Netherlands with Fox-IT, an arm of NCC Group.

Fortra says it acted immediately after hack

Fortra, known as HelpSystems until a rebranding in November, is a fast-growing computer security company with 3,000 employees, $800 million in annual sales and 30,000 customers globally. It sells many software security products, including one called GoAnywhere.

In late January, Clop hackers found a vulnerability in GoAnywhere, which allows its users to securely transfer files. Clop is based in Russia, but it has had connections to Ukraine, too.

Fortra, in a statement, said it "immediately took multiple steps to address" the hack, "including implementing a temporary service outage ... to prevent any further unauthorized activity."

Customers were notified within 24 hours, and the incident was mitigated within that time frame, Fortra said.

But the damage was done.

Clop, also stylized as Cl0P, claimed it hacked 130 organizations that use GoAnywhere, including major corporations and health care organizations.

One of the largest known victims was Florida-based NationsBenefits, which provides supplemental health benefits. It filed a report with federal health regulators in April saying more than 3 million people's health records had been affected in a hack.

Health care is particularly vulnerable to cyberattacks, owing to its "high propensity to pay a ransom, the value of patient records and often inadequate security," according to a February security alert by U.S. Department of Health and Human Services (HHS), which tracks hacks involving medical records.

Cybersecurity experts criticized Fortra for its notification process, which required customers to create a free account to view Fortra's GoAnywhere vulnerability report, the HHS alert said. Fortra said its approach "enabled it to focus on impacted customers."

"As we move forward from this event, we will continuously review our operating practices and security program to ensure we emerge stronger as an organization," Fortra's CEO Kate Bolseth said in the statement.

Chris Heim, executive chairman of Fortra, formerly HelpSystems, and CEO Kate Bolseth. (Fortra/The Minnesota Star Tribune)

Clop's 'zero-day' strategy hits vulnerabilities

Clop's GoAnywhere breach was a "zero-day" attack, meaning that hackers pounced on a flaw before it could be fixed.

"There really is no defense for it," Lanterman said. "It is the gold standard that hackers strive for, and unfortunately, they are doing a good job."

Clop struck again with a massive zero-day attack in late May, this time targeting a file-sharing platform called MoveIt made by Massachusetts-based Progress Software.

As of Sept. 11, the MoveIt hack had hit 1,168 organizations, 81% of which are in the United States, according to Emsisoft, a cybersecurity firm. Emsisoft has more detailed information for about 15% of those breaches, which alone affected 56 million people worldwide.

Some entities hit by the MoveIt attack have paid ransoms to Clop, said Brett Callow, a threat analyst for Emsisoft in British Columbia. "How many, we don't know."

In Minnesota, data of 366,428 people was stolen from 41 different insurance companies in the MoveIt hack, according to the Minnesota Department of Commerce. (Under Minnesota law, insurance-related firms must report data breaches.)

But the MoveIt hack went far beyond insurers. Banks, non-financial corporations and universities and federal and state government agencies were all attacked.

The Minnesota Department of Education reported in June that Clop accessed files stocked with names, birth dates and counties of residence of 95,000 students in foster care. A department spokesman said no ransom was demanded and there's no indication records were shared on the dark web.

Minnesota companies got hit harder by Clop's MoveIt hack. They include:

  • Radius Global Solutions, a Bloomington-based debt collector that serves the medical business and other industries. Social Security numbers, names, birth dates and treatment payment data may have been affected, according to a notice on Radius' website.

Radius, which didn't return requests for comment, reported a hack involving 600,794 people to HHS in August.

  • UnitedHealthcare Student Resources, which provides insurance to students. Names, addresses, phone numbers, and claims and prescription information may have been accessed, the insurer said on its website. UnitedHealthcare — owned by UnitedHealth Group, Minnesota's largest public company — reported the MoveIt hack involving 398,319 people to HHS in July.

UnitedHealthcare said it did not pay a ransom to Clop.

"We reported the incident to law enforcement and implemented all recommended software updates to minimize the risk of a similar incident occurring in the future," the company said in a statement. "All affected individuals were notified and offered complimentary credit monitoring and identity protection services."

  • PBI Research, which bills itself as the leader in the "death audit" market, reported a hack to federal regulators that affected 1.87 million people. The number could be higher since PBI's customers include many large insurers and pension funds. PBI combs death records to help its clients save money by not overpaying on benefits.

The company did not respond to requests for comment.

Ransomware attacks often have chain reactions

PBI customers California's CalPERS and CalSTRS, two of the nation's largest pension systems, were hit by the MoveIt hack through the Minneapolis firm. So was PBI customer Teachers Insurance and Annuity Association of America (TIAA), a big provider of retiree financial services.

The retiree data stolen often included names, addresses and Social Security numbers.

The MoveIt and GoAnywhere hacks are both characterized by an insidious chain reaction.

Hackers "are going after a company that manufactures software," Lanterman said. "The vendor then disseminates the attack for them unknowingly."

With companies like PBI — itself a vendor to many large companies — the chain reaction can be even more damaging. "It kind of goes downstream to a lot of the target's customers," Lanterman said.

The GoAnywhere and MoveIt file transfer attacks have spawned a bounty of litigation, starting with suits against software creators Fortra and Compass.

Eleven class action suits against Fortra, claiming negligence, have been consolidated in U.S. District Court in Minnesota alone.

PBI Research has been hit with at least a dozen negligence suits over the MoveIt hack, including several in federal court in Minnesota. UnitedHealthcare and Radius Global Solutions are the targets of similar suits in the same court.

"What is going to be really messy [with the MoveIt hack] is the legal implications," said Emsisoft analyst Callow. "Everybody is suing everybody. We are seeing a lot of digital ambulance chasing."

about the writer

about the writer

Mike Hughlett

Reporter

Mike Hughlett covers energy and other topics for the Star Tribune, where he has worked since 2010. Before that he was a reporter at newspapers in Chicago, St. Paul, New Orleans and Duluth.

See More