Russian hackers take aim at Andrew Forrest’s Fortescue

Russian hackers claim they have breached the ASX-listed mining giant, capping another tumultuous week for the firm led by Andrew Forrest.

David Swan and Nick Evans

4 min read

5:19PMJuly 18, 2023

The Australian Business Network

Fortescue’s Andrew Forrest. Picture: Martin Ollman

Russian hackers say they have breached Fortescue Metals Group and stolen customer data from the mining and green energy company, capping another tumultuous week at the ASX-listed giant.

The Cl0p ransomware gang, thought to be behind recent high-profile attacks on the Tasmanian government, Crown Towers and Rio Tinto, says it is purely financially motivated and has not yet leaked any Fortescue documents or customer data to give the company a chance to negotiate a ransom payment.

“The company doesn’t care about its customers, it ignored their security!!!,” a post on Cl0p’s Dark Web blog reads.

The anonymous crime group says on its Dark Web blog that once it has named a victim, the victim has seven days to negotiate a payment, otherwise it will begin to leak company data.

“We also want to remind all company that if you put data on internet where data is not protect do not blame us for penetration testing service,” a message reads.

“We are only financial motivated and do not care anything about politics.”

Cl0p is the world’s most active ransomware group according to statistics from cyber security outfit Malwarebytes, and has exploited a vulnerability in widely used file transfer software MOVEit Transfer, allowing attackers to gain escalated privileges and unauthorised access to a company’s file systems. That vulnerability has since been patched, but Cl0p says it has repeatedly exploited it, leading to a months-long ransom spree.

The list of purported victims now stands at over 100 firms globally, and the US government has put up a bounty of up to $US10m to identify or locate the group’s members. Earlier this year the criminal group also uploaded data it claimed to have stolen from Fortescue rival Rio Tinto, including alleged payroll information, employee overpayment summaries and child support materials that were taken through a breach of one of its suppliers.

The news caps a tumultuous week for Fortescue, after Andrew and Nicola Forrest confirmed their separation.

Fortescue confirmed it had been the victim of a cyber attack.

“We take the protection of our employees’ personal information seriously and we have strong measures in place to safeguard our business from potential cyber threats,” a Fortescue spokeswoman said.

“Despite these efforts, Fortescue was subject to a low impact cyber incident on May 28 2023 which resulted in the disclosure of a small portion of data from our networks.

“Importantly, our investigations showed that this information was not confidential in nature.

“We notified the Australian Cyber Security Centre of the incident, and our internal investigation and remediation actions are now complete.”

Matt Green, principal threat analyst at global cyber security outfit Rapid7 confirmed that Fortescue was listed as a ransomware victim on Cl0p’s Dark Web page.

“Being listed here may mean Cl0p was able to grab documents in connection with MOVEit CVE-2023-34362,” the researcher told The Australian.

“MOVEit Transfer customers should prioritise remediation on an emergency basis and should invoke emergency incident response procedures if any indicators of compromise are found in their environments. Note that while updating to a fixed version will help protect against future exploitation, patching alone is not sufficient to address potential threat actor access to systems that have already been compromised.”

Katherine Mansted, director of cyber intelligence at CyberCX, said in an interview that Cl0p is one of the most aggressive cyber extortion gangs globally.

She said the gang had been overwhelmed and likely surprised at the number of victims that it had managed to snare with its recent attack.

“We’re still seeing the fallout months later,” she said. “In fact, it first invited victims to contact them. Normally the ransom group will reach out and try and hold you to ransom, but in this case they had a bottleneck, so they’re asking their own victims to do the dirty work for them. And so I would expect we will continue to see Australian victims be revealed as this continues to roll out.

CyberCX director of cyber intelligence Katherine Mansted. Picture: James Alcock

“Cl0p is literally drowning in paperwork, like any business, except these guys are a bad business.”

The news caps a tumultuous week for Fortescue, after Andrew and Nicola Forrest finally confirmed their separation, splitting control of their jointly-held stake in the iron ore giant.

Fortescue also confirmed it ran a secret investigation into allegations about the conduct of Dr Forrest, saying this week law firm Seyfarth Shaw found he had committed no wrongdoing.

But the hack also caps 18 months of turmoil in Fortescue’s executive ranks, with almost the entirety of the company’s most senior leadership team having turned over.

The anonymous crime group says on its Dark Web blog that once it has named a victim, the victim has seven days to negotiate a payment.

In March, Fortescue ran a major wave of redundancies, with hundreds said to have left the company as it rationalised the back-end services – including information technology, human resources and payroll – across its green energy and iron ore arms. The redundancies included group manager of technology and autonomy, Mark Thomas.

While Clop claims to have no political affiliations, Dr Forrest in June promised to help seed a $US25bn ($36bn) reconstruction fund for Ukraine proposed by Blackrock chief executive Larry Fink, offering $US500m to the fund through private investment vehicle Tattarang.

Dr Forrest has also been pictured with Ukrainian President Volodymyr Zelensky in Kyiv in late 2022.

Fortescue’s green energy arm, Fortescue Future Investments, abandoned plans for investment in Russian hydrogen and renewable energy projects when the country invaded Ukraine in 2022.