Energy provider Shell latest to be hit by Accellion FTA vulnerability

Shell flag
Source: Royal Dutch Shell

Energy giant Royal Dutch Shell has become the latest corporation to admit its Accellion FTA file transfer appliance was hacked.

The company recently admitted that “an unauthorized party gained access to various files during a limited window of time. Some contained personal data and others included data from Shell companies and some of their stakeholders.”

Shell uses the server for transferring large files. There is no evidence of any impact on Shell’s core IT systems as the file transfer service is isolated from the rest of Shell’s digital infrastructure, the company said in a statement.

“Shell is in contact with the impacted individuals and stakeholders and we are working with them to address possible risks,” the statement read. “We have also been in contact with relevant regulators and authorities and will continue to do so as the investigation continues.”

The statement didn’t detail when the breach occurred or when it was discovered by Shell.

Because Accellion is used for large file transfers a considerable number of victims are multi-national corporations. They include Canada’s Bombardier, Qualys, and U.S. supermarket chain Kroger’s. Government victims include the office of the auditor of Washington State.

News of Accellion-related breaches began appearing in January. That month the company issued a statement saying that in mid-December Accellion was made aware of a vulnerability in FTA and issued a patch.

“While Accellion maintains tight security standards for its legacy FTA product, we strongly encourage our customers to update to (Accellion) Kiteworks, the modern enterprise content firewall platform, for the highest level of security and confidence,” the company added.

Since then, a number of alarms have been raised about FTA. Near the end of February, five countries urged IT departments using the application to temporarily isolate or block internet access to and from systems hosting FTA, and to search for indicators of compromise.

Also, last month researchers at FireEye’s Mandiant threat intelligence division said they believe multiple threat groups are working together in a scheme of Accellion FTA-related data theft and extortion involving a ransomware gang but no deployment of ransomware. The groups are using the same website of the gang deploying the Clop ransomware to post copies of stolen data from FTA and threaten victim organizations to release more unless they pay up.

James McQuiggan, security awareness advocate at KnowBe4, says that organizations need to implement various risk mitigation programs to reduce any data breach with a supply chain provider.

“By isolating critical networks from third-party vendors, cybercriminals are restricted to a limited set of systems or networks in the unfortunate event of a data breach,” he said. “Energy companies need to ensure their networks utilize a layered approach to reduce the attack landscape for cybercriminals looking to gain access to their networks or attempting to steal intellectual property.”

Mark Bagley, VP of product at AttackIQ, said that with the massive scale of organizations impacted by the Accellion FTA attack, it’s important to recognize a common denominator: Adversaries are employing the same tactics, techniques and procedures captured inside the MITRE ATT&CK framework.

“This latest data breach serves as a reminder of how crucial it is for organizations to take a threat-informed approach to cybersecurity, as it’s infinitely harder to defend an environment without the context of the adversary’s behaviours. With ATT&CK as a foundation, a clear path to continuous security optimization can be made through the use of automated adversary emulation – allowing defenders to gain knowledge of their program’s effectiveness against known adversary behaviour.”


Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News