Industry Analysis

Clop: Supply Chain Exploitation Tradecraft

Clop has turned supply chain exploitation into a repeatable playbook — MOVEit, GoAnywhere, Cleo. A look at the tradecraft that makes the campaign work.

Clop (also written Cl0p) stopped being a conventional ransomware group around 2022 and started being something more specific: a supply chain exploitation shop. The MOVEit Transfer campaign in mid-2023 affected over 2,600 organisations directly. GoAnywhere MFT in early 2023 affected dozens of large enterprises. Cleo Harmony and related managed file transfer products were hit in late 2024. Each of these campaigns used the same pattern: identify a widely-deployed managed file transfer product, find a zero-day, exploit at scale over a compressed timeline, skip traditional encryption, and extort based on stolen data. The tradecraft is different enough from standard ransomware that defenders who think of Clop as "just another ransomware group" miss the structural features of how the campaigns work.

The target class matters

Clop picks products with specific properties:

Managed file transfer systems. MOVEit, GoAnywhere, Cleo, Accellion/FTA in earlier campaigns. These sit at the boundary between organisations and external parties, holding sensitive data in transit.
Enterprise adoption. Large organisations are the data-rich targets. These products are overrepresented among Fortune 500 back-office file transfer.
Stable, under-scrutinised codebases. The targeted products tend to be older, well-entrenched, and — until Clop — not on researcher top-target lists.
Network edge positioning. MFT systems are often internet-facing by design, providing initial access without requiring credential theft.

This is not random. It is targeting that accumulates knowledge over time; each campaign informs the next.

The exploitation timeline is compressed

Clop campaigns show a distinctive cadence:

Silent vulnerability discovery over weeks or months. Not disclosed until the exploitation phase begins.
Mass exploitation over 48–72 hours. The zero-day is burned fast, targeting thousands of instances in parallel.
Data exfiltration within hours of initial access. Clop moves fast; encryption often isn't used at all.
Delayed victim notification. Weeks to months later, Clop contacts victims and publishes leak threats.
Extended extortion phase. Lasts months. Clop releases data in tranches on their leak site.

The compressed exploitation window matters for defenders. A MOVEit-style campaign doesn't give you a month to patch once exploitation starts. Your window is "hours from initial vendor notification" or you are in the leak-site queue.

The MOVEit campaign specifics

CVE-2023-34362 (CVSS 9.8), a SQL injection in MOVEit Transfer, was exploited starting around May 27, 2023. Progress Software (MOVEit's vendor) disclosed the vulnerability on May 31. By mid-June, confirmed victims included US federal agencies, state governments, major universities, Fortune 500 companies, and thousands of downstream organisations whose data was held by MOVEit-using service providers.

The technical exploit is well-documented. The supply chain angle is that many victims were not direct MOVEit users — they were customers of service providers (BORN in Canada, various payroll providers, major consultancies) who used MOVEit for data exchange. The attack reached them through their vendor's MOVEit instance.

This is the genuine supply chain character of the Clop playbook. The direct victim count is smaller than the downstream-affected count by an order of magnitude.

The GoAnywhere campaign specifics

CVE-2023-0669 in Fortra's GoAnywhere MFT, exploited starting January 2023. Direct victims were smaller in number than MOVEit but included several large healthcare and financial services organisations. The downstream impact was narrower because GoAnywhere had a smaller footprint.

Lessons from the GoAnywhere campaign informed the MOVEit approach. Same playbook; broader target pool.

The Cleo campaign specifics

CVE-2024-50623 and CVE-2024-55956 in Cleo Harmony, VLTrader, and LexiCom — exploited starting October 2024. The pattern mirrors MOVEit: zero-day, mass exploitation over compressed timeline, data exfiltration, extortion.

The Cleo campaign confirmed what the previous two suggested: Clop has institutionalised the pattern. They are running a product line, not a one-off campaign.

What makes this hard to defend against

Three structural features:

You don't always know you use the product. Managed file transfer is often procured by enterprise IT teams and consumed by many business units. Security teams may not have the product on their inventory.

Vendor disclosure speed matters more than your response speed. From vulnerability disclosure to exploitation in the wild is sometimes hours. A patch cadence of "weekly" is too slow for the Clop timeline.

Customer-of-customer exposure is invisible. Even if you don't run MOVEit, your payroll provider's MOVEit instance holds your employee data. Your exposure depends on vendors' security posture, which you don't directly control.

Defensive moves that reduce exposure

Four that genuinely help:

Inventory the MFT category specifically. Know which MFT products your organisation runs, which your vendors run (ask), and which handle your regulated data. Update quarterly.

Vendor due diligence scope check. For vendors handling your sensitive data, your due diligence should ask specifically about their MFT infrastructure. Generic "do you have security controls" questions miss the Clop threat model.

Expedited patch SLA for MFT products. Treat any CVE affecting your MFT infrastructure as CVSS-9.8-regardless-of-actual-score for patch timing. Clop has shown they will exploit even medium-severity MFT vulns if the blast radius is right.

Detection for MFT-specific IoC patterns. Network baselines of normal MFT behaviour; alerting on anomalous data exfiltration volumes, unexpected outbound connections, large HTTP response anomalies.

Clop leak site dynamics

Clop's extortion phase uses a public leak site where they publish victim data if ransom isn't paid. The site has been operational through multiple law enforcement takedown attempts — Clop has demonstrated resilience comparable to LockBit's.

For the defender, the leak site is both a threat and an intelligence source. Watching what gets published reveals:

Which campaigns had broader reach than publicly known.
Which victim organisations paid (absence from leak site after a delay).
Which data types Clop prioritises (useful for threat-model refinement).

Treating the leak site as OSINT rather than just as a ransom-pressure mechanism produces useful defender signal.

What Clop tells us about threat actor evolution

Three generalisations supported by the campaign record:

Mass exploitation playbooks are becoming professionalised. Clop's cadence is not improvised; it is productised.
Supply-chain-structural vulnerabilities beat credential theft for scale. A single MFT CVE reaches more downstream organisations than a thousand credential thefts.
Vendor patch velocity is the single biggest defender lever. Organisations whose MFT vendors patch fast have meaningfully less exposure.

The generalisations apply beyond Clop. Other actors are watching and replicating. Expect the pattern.

How Safeguard Helps

Safeguard's TPRM module specifically tracks managed file transfer infrastructure across vendor portfolios and flags vendors whose MFT posture has unknown or stale vulnerability status. Griffin AI monitors MFT-vendor advisory channels and alerts on newly-disclosed MFT vulnerabilities with a compressed timeline expectation. Policy gates can require vendor MFT SLA evidence at contract renewal. For organisations whose data flows through vendors' MFT infrastructure, Safeguard surfaces the Clop-class exposure that generic third-party risk assessments routinely miss.

clop threat-actor moveit ransomware

Back to all articles