Lace Tempest Cybercrime Group Behind Zellis Payroll Data Breach

Written by staff writer.

A malicious cyber group called Lace Tempest is behind the attack on UK payroll software provider Zellis, exposing the personal data of thousands of employees working at entities like the BBC, British Airways, Boots UK, and the Nova Scotia government.

Lace Tempest, also called Storm-0950, is a ransomware affiliate known for its involvement with the Clop extortion site. The group has also worked with the FIN11, TA505, and Evil Corp threat actors. Microsoft Threat Intelligence has attributed the Zellis cyberattack to Lace Tempest.

The group stole the data from Zellis via a publicized vulnerability in its MOVEit file transfer platform, developed by Massachusetts-based Progress Software. That entity disclosed the SQL injection vulnerability on May 31. Progress Software said the vulnerability could allow unauthorized parties to access the computer networks of MOVEit Transfer and MOVEit Cloud customers such as Zellis.

On June 5, Zellis confirmed the attack, saying the breach had impacted a small number of its customers in what was a global issue. “All Zellis-owned software is unaffected, and there are no associated incidents or compromises to any other part of our IT estate,” the company said via a press statement.

“Once we became aware of this incident, we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring.”

Two days after flagging the vulnerability, Progress Software released a patch and has since confirmed that it rectifies the vulnerability. “When we discovered the vulnerability, we promptly launched an investigation, alerted MOVEit customers of the issue and provided immediate mitigations steps,” the company said in a statement. “We disabled web access to MOVEit Cloud to protect our Cloud customers, developed a security patch to address the vulnerability, made it available to our MOVEit Transfer customers, and patched and re-enabled MOVEit Cloud, all within 48 hours. We have also implemented a series of third-party validations to ensure the patch has corrected the exploit.”

Guy Golan, the founder and CEO of Performanta, says the Zellis cyberattack illustrates how an attack on one company can impact the business network of third-party entities. “No organisation is an island,” he said, calling for a shift from a security mindset to a safety mindset. “Assessments are carried out every day to determine whether an organisation is deemed ‘secure’ by compliance and industry standards, but this doesn’t mean that all parties involved are safe,” he argues. “We need a global data-driven strategy that prioritises accuracy, transparency and context when it comes to cybersecurity across the entire supply chain, for the sake of each business and every single individual involved.”

In an internal email, British Airways told its UK and Ireland-based employees that the attackers had obtained their names, addresses, national insurance numbers and banking details in the Zellis breach. Boots UK confirms similar data was taken, while the BBC thinks their employee’s bank account details remain secure. Most threat actors associated with the Clop extortion site are Russian-speaking cybercrime groups. Typically, they contact the victims to arrange a ransom payment. If the victim refuses to cooperate, the stolen data will usually be listed and published on the Clop website.