Blue Yonder says November ransomware attack not connected to Cleo vulnerability

Blue Yonder, the supply chain management giant that was hit by a ransomware attack last month that caused ripples throughout the retail sector, said it is investigating claims of data theft made by a ransomware gang on Christmas Eve. 

The Clop ransomware operation said it stole information from Blue Yonder and dozens of other companies through a recently-discovered zero-day vulnerability in file sharing software from a company named Cleo. 

The gang made several threats toward Blue Yonder and said they were not responding to extortion attempts. 

The Panasonic-owned company said it has no reason to believe the recent claims are connected to last month’s ransomware attack, which caused disruptions at Starbucks, BIC and several major supermarket brands.

In a statement to Recorded Future News, a Blue Yonder spokesperson acknowledged that the company uses Cleo to manage certain file transfers and has applied the patch for the vulnerability. 

“Like many Cleo customers across the globe, we are currently investigating any potential impact of this matter on our business and will provide an appropriate update to our customers when we have additional information,” the spokesperson said. 

“We have no reason to believe the Cleo vulnerability is connected to the cybersecurity incident we experienced in November.”

The spokesperson declined to answer several questions about potential ties between the two incidents and whether a ransom has been issued for either. A relatively new ransomware operation named Termite took credit for the November ransomware attack on Blue Yonder, which provides digital supply chain tools to some of the largest companies on the planet. 

The attack disrupted a back-end Starbucks process that manages how employees view and manage their schedules, and see the number of hours people worked. Several major supermarket brands in the U.K. and manufacturers in the U.S. like pen-maker BIC reported production issues related to the attack. 

Nearly all customer systems have since been restored but the Termite gang claimed it stole 680 GB of data that includes emails, insurance documents, company data and more. 

Blue Yonder was acquired by Panasonic in 2021 for about $8.5 billion and provides systems for fulfillment, delivery and returns for more than 3,000 major companies across 76 countries.

Just two weeks after the Blue Yonder ransomware incident in November, file transfer software company Cleo warned customers that a vulnerability in three of its most popular products was being abused by hackers. 

The Clop ransomware gang eventually took credit for exploiting the bug — adding yet another file transfer giant to its list of victims. In total, Clop named 66 organizations that had information stolen through the Cleo file transfer software. 

Blue Yonder is currently the only company Clop named fully as part of the Cleo leaks — the other names of victim organizations are partially obscured. Several of the companies that could be gleaned from the list were contacted but did not respond to requests for comment. 

Cleo is the fourth file transfer tool to be exploited by Clop after global data theft campaigns targeting MOVEit, GoAnywhere and Accellion. In each of the attacks, the group typically focuses on stealing data held in the file transfer software and selling that for a ransom as opposed to the typical attempt to shut down or damage an organization’s devices or systems. 

The most recent Clop campaign against MOVEit had global implications, impacting several U.S. federal departments, governments and Fortune 500 companies. 

Cybersecurity firm Emsisoft estimates that 2,773 organizations were impacted by the attacks on MOVEit, and the records of nearly 96 million people were exposed and stolen by the group behind the exploitation. 

Clop is estimated to have earned anywhere from $75 million to $100 million just from ransoms during the MOVEit campaign.