VISVESVARAYA TECHNOLOGICAL UNIVERSITY

BELGAVI-590 018, KARNATAKA.

CRYPTOGRAPHY AND NETWORK SECURITY

(BCS703)
A Case Study Report on
“MOVEit Data Breach (2023)”
Submitted in the partial fulfillment of the requirement for the award of degree of

Bachelor of Engineering
In
Computer Science and Business Systems

By
Ms. Sujana.K.G
USN 4BD22CB034

UNDER THE GUIDANCE OF

Prof. Puneeth B.H (Ph.D)
Assistant Professor

Bapuji Educational Association (R)

Bapuji Institute of Engineering and Technology, Davangere.
Department of Computer Science and Business Systems
2024-2025
 Cryptography and Network Security (BCS703)

ABSTRACT

This report analyses the MOVEit Data Breach of 2023, one of the largest global cyber incidents in
recent years. The attackers exploited a zero-day SQL injection vulnerability in Progress Software’s
MOVEit Transfer tool, a widely used secure file transfer application. By leveraging this flaw, the Clop
ransomware group gained unauthorized access to sensitive data from hundreds of organizations
worldwide, including government agencies, financial institutions, and enterprises.

The study highlights failures in secure file transfer mechanisms, where encryption methods such as
AES and TLS protected data in theory, but vulnerabilities in the application allowed attackers to
bypass these safeguards. It further explores the role of vulnerability management in preventing
exploitation, emphasizing that the weakness lay not in cryptographic algorithms themselves but in their
surrounding implementation and patching processes.

The report concludes with key lessons learned: the importance of proactive vulnerability management,
continuous monitoring of third-party software, and strengthening encrypted data exchange systems.
Organizations must integrate cryptographic security with robust network defenses to ensure the
integrity of file transfer security in an increasingly interconnected digital landscape.

Page 2
 Cryptography and Network Security (BCS703)

CONTENTS

CHAPTER 1 INTRODUCTION 1

CHAPTER 2 OVERVIEW OF THE CYBER ATTACK 2

CHAPTER 3 ENCRYPTION METHODS USED 4

CHAPTER 4 IMPACT OF THE ATTACK 7

CHAPTER 5 MITIGATION AND PREVENTION 9

STRATEGIES

CHAPTER 6 CASE STUDIES 11

CHAPTER 7 CONCLUSION 12

Page 3
 Cryptography and Network Security (BCS703)

CHAPTER 1
INTRODUCTION

1.1 Introduction to Cybersecurity and Encryption

Cybersecurity focuses on protecting systems, networks, and data from unauthorized access and cyber
threats. One of the strongest pillars of cybersecurity is encryption, which ensures that even if data is
intercepted, it remains unreadable to attackers. Encryption techniques such as AES and TLS are widely
used to secure file transfers, online communications, and stored information.

1.2 Importance of Encryption in Modern Cyber Attacks

In today’s digital era, cybercriminals often target data in motion (files being transferred across
networks) and data at rest (stored files). Encryption plays a vital role in defending against these attacks.
However, modern breaches have shown that encryption alone is not sufficient—vulnerabilities in
software and poor implementation can undermine even the strongest algorithms. This makes it
essential to study not only the cryptographic methods but also the security of the systems that manage
encrypted data.

1.3 Purpose of Selecting this Specific Cyber Attack for Study

The MOVEit Data Breach (2023) is a landmark case where attackers exploited vulnerabilities in a
widely used secure file transfer tool. Despite encryption being in place, the breach exposed sensitive
information of hundreds of organizations worldwide. Studying this incident provides valuable insights
into:

1. How vulnerabilities in software applications can bypass strong encryption safeguards, proving that
cryptography alone is not sufficient without secure implementation.
2. The importance of timely patch management and vulnerability response, as delays in fixing zero-
day flaws can lead to large-scale exploitation.
3. The risks associated with third-party and supply chain software, since MOVEit was widely adopted
across industries and became a single point of failure.
4. Lessons on strengthening encrypted data exchange mechanisms, ensuring that encryption works
effectively alongside secure coding and monitoring practices.
5. The need for proactive vulnerability management and continuous security audits, to identify
weaknesses before attackers exploit them.

Page 4
 Cryptography and Network Security (BCS703)

CHAPTER 2
OVERVIEW OF THE CYBER ATTACK

2.1 Background and Origin

The MOVEit breach was discovered in late May 2023, when cybersecurity researchers found that a
zero-day vulnerability existed in MOVEit Transfer, a secure file transfer software developed by
Progress Software. The vulnerability was actively exploited by the Clop ransomware group, a well-
known cybercriminal gang.
Hundreds of organizations worldwide, including financial institutions, healthcare providers,
universities, and government agencies, were impacted. Sensitive data like personal records, payroll
details, and corporate information was exposed.

2.2 How the attack spread

a. The attack did not spread like a worm or via phishing emails.
b. Instead, it was a targeted exploitation of a zero-day vulnerability in the MOVEit Transfer software.
c. Attackers used SQL injection vulnerabilities to gain unauthorized access to MOVEit servers.
d. Once inside, they were able to exfiltrate sensitive files from affected organizations.
e. Later, they attempted extortion by threatening to publish stolen data on the dark web if ransom
demands were not met.

2.3 Timeline of Events

1. May 27-28, 2023 → Security researchers first detected suspicious activity in MOVEit Transfer.
2. May 31, 2023 → Progress Software publicly disclosed the vulnerability and released initial security
patches.
3. June 2023 → Reports confirmed that the Clop ransomware group was behind the attack. The
number of affected organizations began to grow rapidly.
4. July-August 2023 → More victims across different industries were identified (education,
healthcare, finance, public sector). The breach became one of the largest supply chain cyberattacks of
2023.
5. Ongoing (2023–2024) → Data leaks and extortion attempts continued, with stolen files being
posted on dark web forums.

Page 5
 Cryptography and Network Security (BCS703)

2.4 Key Vulnerabilities

a. The main vulnerability exploited was a zero-day SQL injection flaw in MOVEit Transfer.
b. SQL injection allowed attackers to:
Bypass authentication mechanisms.
Execute unauthorized queries directly on the MOVEit database.
Gain access to sensitive information and stored files.

Page 6
 Cryptography and Network Security (BCS703)

CHAPTER 3
ENCRYPTION METHODS USED

3.1 Types of Encryptions Used

1. MOVEit Transfer natively used AES-256 encryption for securing files at rest and TLS 1.2/1.3 for
data in transit.
2. AES is a symmetric key encryption algorithm, known for its high security and efficiency when
handling large files.
3. TLS combines asymmetric cryptography (RSA or Elliptic Curve Cryptography) during the
handshake with symmetric encryption for ongoing communication.
4. The attackers (Clop group) did not break these algorithms directly but exploited software
vulnerabilities to access already decrypted files.
5. In cases where ransomware payloads were deployed, attackers applied hybrid encryption (AES +
RSA), where files were encrypted with AES and AES keys locked with RSA public keys.
6. This hybrid method is widely used in ransomware because it combines speed (AES) with security
of key exchange (RSA).

3.2 Implementation of Encryption by Attackers

1. Attackers primarily exfiltrated sensitive files rather than encrypting the entire network like
traditional ransomware.
2. When encryption was applied, a unique AES-256 key was generated for each file or session.
3. These AES keys were then encrypted using the attackers’ RSA-2048/4096 public key, preventing
victims from recovering them.
4. Encrypted files were often given new extensions (e.g., .clop) to indicate compromise.
5. Ransom notes (README.txt) were dropped, linking victims to dark web portals for ransom
negotiations.
6. This encryption model is unbreakable in practice, forcing organizations to either restore from
backups or pay ransom.

Page 7
 Cryptography and Network Security (BCS703)

3.3 Cryptographic Strengths & Weaknesses

1. Strengths: The AES-256 + RSA-2048/4096 hybrid approach is mathematically sound and resistant to
brute-force attacks.
2. The algorithms themselves (AES, RSA, TLS) were not compromised; attackers leveraged flaws in
implementation and patch management.
3. Weakness (MOVEit side): SQL injection vulnerability allowed attackers to bypass cryptographic
layers entirely by pulling data directly from the database.
4. Operational Weakness: Since MOVEit automatically decrypted files for legitimate use, attackers with
system-level access could obtain data in plaintext.
5. This breach demonstrates that cryptographic systems are only as secure as the applications managing
them.
6. Lesson learned: strong encryption must be paired with secure coding practices, access controls, and
timely patching.

Page 8
 Cryptography and Network Security (BCS703)

3.4 Encrypted File Structures and Ransom Notes

a. Encrypted File Structure: Files encrypted by Clop typically followed a structure with a header
containing metadata (victim ID, RSA-encrypted AES key) followed by AES-encrypted file
blocks.
b. File extensions were sometimes modified (e.g., .clop, .encrypted) to mark compromised files.
c. Ransom Notes: Plain text files (README.txt) were left in directories, giving instructions for
decryption/payment.
d. Notes contained Tor site links, unique victim IDs, and threats of data publication if ransom wasn’t
paid.

Page 9
 Cryptography and Network Security (BCS703)

CHAPTER 4
IMPACT OF THE ATTACK
4.1 Number of Systems Affected Globally

1. The breach impacted hundreds of organizations worldwide, making it one of the largest cyber.

2. As of mid-2023, security researchers confirmed that over 1,000 organizations had been
compromised.
3. The attack exposed sensitive information of an estimated 60+ million individuals across different
sectors.
4. MOVEit Transfer was widely used by enterprises, government agencies, and universities, which
amplified the scale of the breach.
5. Unlike ransomware that encrypts entire networks, this attack directly targeted data transfer systems,
meaning sensitive records were immediately stolen.

4.2 Financial Losses and Estimated Damages

1. Direct financial losses included costs of incident response, forensic investigations, system patching,
and legal liabilities.

2. Cyber insurance payouts for the MOVEit breach were estimated to be among the largest in 2023,
running into billions of dollars collectively.
3. Individual organizations reported losses ranging from millions to tens of millions due to regulatory
fines, lawsuits, and recovery costs.
4. Class-action lawsuits were filed against Progress Software and affected companies for failing to
protect sensitive data.
5. Beyond direct financial damages, organizations suffered long-term reputational harm, resulting in
potential customer and partner loss.

4.3 Industies Most Impacted

1. Healthcare – Patient data, medical records, and insurance details were exposed across multiple
hospitals and providers.
2. Government Agencies – U.S. federal agencies and European public sector entities had sensitive
internal data compromised.
3. Finance – Banks, payroll providers, and pension services lost confidential financial information.

Page 10
 Cryptography and Network Security (BCS703)

4. Education – Universities and schools were affected, exposing student and staff records.

4.4 Real- World Consequences

1. Large volumes of personally identifiable information (PII), including Social Security numbers, bank
details, and health data, were leaked.
2. Victims faced identity theft risks, phishing attempts, and financial fraud due to the exposed data.
3. Organizations had to notify millions of individuals about data breaches, leading to loss of customer
trust.
4. Government investigations were launched in the U.S., UK, and EU, leading to regulatory scrutiny
over third-party risk management.
5. Companies faced operational disruptions, as file transfer systems had to be taken offline until
patches were applied.

Page 11
 Cryptography and Network Security (BCS703)

CHAPTER 5

MITIGATION AND PREVENTION STRATEGIES

5.1 Patches and Updates released to fix Vulnerabilities

1. Progress Software, the vendor of MOVEit, released emergency patches on May 31, 2023, to
address the SQL injection vulnerability exploited in the breach.
2. Subsequent security updates were issued in the following weeks as researchers discovered
additional vulnerabilities in MOVEit Transfer and MOVEit Cloud.
3. Organizations were urged to immediately apply patches and perform forensic scans to identify signs
of compromise.
4. Regular patch management and automated update deployment became emphasized as a best
practice for vulnerability management.

5.2 Role of Antivirus, Firewalls, and Intrusion Detection Systems (IDS)

1. Antivirus solutions helped detect and block known ransomware payloads, though they were less
effective against zero-day exploits.
2. Firewalls and Web Application Firewalls (WAFs) played a critical role in blocking malicious SQL
injection attempts by filtering abnormal web requests.
3. Intrusion Detection and Prevention Systems (IDS/IPS) were recommended to monitor network
traffic and flag anomalies related to MOVEit server exploitation.

5.3 Encryption Best Practices for Defenc

1. While MOVEit used AES and TLS, the breach showed that encryption alone is not enough if
vulnerabilities exist in the system handling it.
2. Best practices include implementing end-to-end encryption (E2EE), where only the sender and
recipient can decrypt data, reducing risks if servers are compromised.
3. Key management must be strengthened, ensuring encryption keys are stored securely (e.g., in
Hardware Security Modules – HSMs).
4. Organizations should deploy encryption at multiple layers (application-level, database-level, and
transport-level) to provide redundancy.

Page 12
 Cryptography and Network Security (BCS703)

5.4 Importance of Backups and Disaster Recovery Planning

1. Regular Backups: Organizations must maintain frequent, encrypted backups of critical files to
ensure data can be restored quickly in case of a breach or ransomware attack.
2. Offline and Offsite Storage: Backups should be stored offline or offsite to prevent attackers from
accessing or encrypting backup copies during a cyberattack.
3. Disaster Recovery Planning: A well-defined disaster recovery plan enables rapid restoration of
affected systems, minimizing operational downtime and financial losses while maintaining business
continuity

Page 13
 Cryptography and Network Security (BCS703)

CHAPTER 6

CASE STUDIES

1. BBC (United Kingdom)

Impact: The BBC reported that sensitive internal files were compromised due to the MOVEit
vulnerability, potentially exposing employee data and confidential communications.

Response: BBC immediately took affected systems offline, applied emergency patches from Progress
Software and conducted a full forensic investigation. They also notified regulatory authorities about
the breach.

Lesson Learned: Even media organizations with robust IT infrastructure are vulnerable to third-party
software exploits; constant monitoring and timely patching are critical.

2. Shell (Global)

Impact: Shell, the multinational energy company, had internal documents and data transferred via
MOVEit accessed by attackers. No evidence suggested operational systems were disrupted, but
sensitive financial and project data were at risk.

Response: Shell implemented immediate containment measures, applied vendor-provided patches,

and conducted a thorough review of third-party file transfer tools to prevent future exposure.

Lesson Learned: Large enterprises relying on widely used software must implement strict third-party
risk management and regularly audit all data transfer systems.

3. University of California System (USA)

Impact: Multiple campuses of the University of California were affected, leading to exposure of
student records, research data, and staff information.

Response: The university disabled MOVEit services temporarily, worked with cybersecurity experts
to identify compromised accounts and informed affected individuals as per regulatory requirements.

Lesson Learned: Educational institutions are high-risk targets due to sensitive personal and research
data enforcing multi-layered security for encrypted file transfer is essential.

Page 14
 Cryptography and Network Security (BCS703)

CHAPTER 7
CONCLUSION

The MOVEit Data Breach (2023) demonstrated how attackers can exploit vulnerabilities in widely
used software to bypass encryption and access sensitive data. Key findings highlight that even strong
cryptographic methods like AES and TLS are insufficient if the underlying application has security
flaws, such as SQL injection vulnerabilities. The breach affected hundreds of organizations globally,
spanning media, finance, government, and education sectors, emphasizing the risks associated with
third-party software and supply chain dependencies.

Lessons learned underscore the importance of timely patch management, continuous vulnerability
monitoring, and secure implementation of encryption practices. Future recommendations for
organizations include adopting end-to-end encryption, enforcing robust key management,
implementing layered network defenses, maintaining regular offline backups, and conducting thorough
audits of third-party tools. By combining cryptography with strong cybersecurity policies and
proactive risk management, organizations can significantly reduce the likelihood and impact of similar
cyber attacks.

Page 15