FireEye IDs hacking group suspected in Accellion, Kroger breach

Kroger is only the latest firm to be swept up in a breach that began at Accellion, a software provider.
FireEye at the 2020 RSA Conference in San Francisco. (Greg Otto / Scoop News Group)

Security investigators have identified the hacking group suspected to be behind a data breach of an IT firm that has affected a number of corporations, law firms and other organizations in recent months. 

Accellion, a software firm that provides file transfer services to more than 3,000 clients, on Monday said that UNC2546, a “criminal” attacker, had exploited multiple vulnerabilities in Accellion software to install malware. The group appeared to infiltrate an Accellion tool to gather information from Accellion clients, then contact victims, threatening to publish their stolen data. Mandiant, the incident response arm of the security vendor FireEye, made the determination that UNC3546 was behind the incident

The breach at Accellion, uncovered on Dec. 23, involved an attacker leveraging a zero-day vulnerability to break into the Palo Alto-based cloud company’s secure file transfer application, or FTA. 

“The motivation of UNC2546 was not immediately apparent, but starting in late January 2021, several organization that had been impacted by UNC2546 in the prior month began receiving extortion emails threatening to publish stolen data on the “CLOP^_-LEAKS”.onion website,” FireEye said in a statement Monday. 


Multiple media outlets previously linked the Accellion campaign to a ransomware gang known as Clop, and a financially motivated hacking group dubbed FIN11. 

The update came after the grocery chain Kroger on Friday announced that personal data belonging to some customers of its pharmacy services may have been compromised as a result of the Accellion incident. The Cincinnati-based chain on Friday announced that thieves may have stolen names, phone numbers, Social Security numbers and some medical history information about fewer than 1% of its customers. Kroger also has “discontinued the use” of services from Accellion.

While Accellion released a software fix soon after, a growing number of firms appear to be learning of their victimization. Jones Day, a prominent law firm that represents former President Donald Trump, was among those hit, the Wall Street Journal reported.  Singtel, a telecommunications firm in Singapore, the Washington State Auditor’s Office and the Reserve Bank of New Zealand were also among those swept up in the matter. 

The University of Colorado also has said it was affected by the breach. 
The incident is distinct from a hack against the U.S. federal contractor SolarWinds, though some details from both breaches are similar. In each case, attackers used illicit access at an otherwise quiet IT firm as a foothold to gather information from more visible targets. Suspected Russian spies used their position within SolarWinds to breach the departments of Treasury, Homeland Security, Justice and collected data from Microsoft, among other companies.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts