Forensic Control

Unravelling the MOVEit Hack: A Simple Guide to Understanding and Preventing Cyber Attacks

We explain the MOVEit hack and provide a simple guide to understanding and preventing similar cyber attacks



Computer code on a screen


Cybersecurity is a dynamic and challenging field, with threats constantly evolving. One of the recent cybersecurity incidents that drew attention worldwide was the hack of the MOVEit Transfer tool, a popular software used by many organizations to transfer sensitive files securely. This blog post will provide an easy-to-understand breakdown of what happened, its consequences, and how such attacks could be prevented in the future.

The Hack

The MOVEit hack, in essence, was a “supply-chain attack” where the cybercriminals exploited a security flaw in the MOVEit Transfer tool. This software, developed by US company Progress Software, is used globally for the secure transfer of sensitive files. However, hackers discovered a way to infiltrate the tool and extract data from the companies using it.

The MOVEit Transfer flaw was identified as a SQL injection vulnerability, leading to remote code execution. This vulnerability allowed the attackers to insert malicious code (‘human2.asp’) into the software, which enabled them to perform various actions including retrieving lists of stored files, creating new users, and accessing information about configured Azure Blob Storage accounts, which they could then use to steal additional data.

The Consequences

The impact of this cyber-attack was far-reaching. Companies such as British Airways, the BBC, Boots, and Ofcom were directly affected due to their use of MOVEit. Personal information from 412 Ofcom employees was downloaded during the hack. The hack also impacted companies that did not directly use MOVEit but were indirectly affected through third-party arrangements, like the BBC whose data was stolen because a company they use for payroll processing, Zellis, used MOVEit and fell victim to the hack.

The criminals responsible for the hack, linked to the notorious Clop ransomware group, threatened to begin publishing data of companies that do not email them to begin negotiations. This could potentially lead to further data breaches if organisations do not comply, or substantial financial losses if they choose to pay the ransom.

Prevention and Mitigation

The best protection against such cyber threats is proactivity and vigilance. In the case of the MOVEit hack, Progress Software issued an advisory warning about a critical vulnerability in the software, and recommended immediate actions to protect their environments. This included blocking external traffic to specific ports, checking for unexpected files in certain folders, and shutting down any MOVEit Transfers until a patch could be installed and a thorough investigation for compromise completed.

Patches to fix the vulnerability were made available for various versions of MOVEit Transfer, and it was strongly advised that organisations install these patches to mitigate the risk.

Companies should also have a robust incident response plan in place to minimise the damage when breaches occur. This includes having a dedicated team to monitor systems, even during holidays and off-hours, as the MOVEit hack reportedly began over the US Memorial Day holiday when fewer staff were monitoring systems.


The MOVEit hack serves as a potent reminder of the importance of cybersecurity vigilance. Organizations must not only invest in robust cybersecurity infrastructure but also in continuous monitoring, swift response plans, and regular updating and patching of all software systems. In the ever-evolving landscape of cybersecurity, staying one step ahead of potential threats is the key to safeguarding valuable data and maintaining trust in the digital world.

Please note: This is a simplified explanation of the MOVEit hack and some technical details have been omitted or simplified for clarity. For a more technical explanation, we recommend consulting cybersecurity experts or detailed technical reports on the incident.

Related content

As computer forensics experts we are bound to abide by the ACPO Principles of Digital Based Evidence, ACPO being the Association of Chief Police Officers. ACPO provides a set of Guidelines for Computer Based Evidence, and they come with a suite of four essential principles. Here they are.
Computer forensics, sometimes known as digital forensics, is undertaken by trained examiners who pull data (search histories, purchase records, time logs and more) from devices including, but not limited to: computers, tablets, and smartphones.


Sign up here if you wish to receive updates and news from Forensic Control by email. We will not send you anything else and you may end the subscription at any time.

By providing your email address, you agree to receive marketing
messages as per our Privacy Policy