{
	"id": "ad585884-f5ab-49f4-9648-f345e5d4e9d6",
	"created_at": "2026-04-06T00:14:44.783061Z",
	"updated_at": "2026-04-10T03:30:21.21992Z",
	"deleted_at": null,
	"sha1_hash": "8023b7323340f4d727a37358c2fa64e6620c19f3",
	"title": "Energy giant Shell discloses data breach after Accellion hack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1760404,
	"plain_text": "Energy giant Shell discloses data breach after Accellion hack\r\nBy Sergiu Gatlan\r\nPublished: 2021-03-22 · Archived: 2026-04-05 18:20:58 UTC\r\nImage: Nicholas Jeffway\r\nEnergy giant Shell has disclosed a data breach after attackers compromised the company's secure file-sharing system\r\npowered by Accellion's File Transfer Appliance (FTA).\r\nShell (short for Royal Dutch Shell plc) is a multinational group of petrochemical and energy companies with more than\r\n86,000 employees in over 70 countries.\r\nhttps://www.bleepingcomputer.com/news/security/energy-giant-shell-discloses-data-breach-after-accellion-hack/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/energy-giant-shell-discloses-data-breach-after-accellion-hack/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nIt is also the fifth-largest company in the works based on its 2020 revenue results according to Fortune's Global 500\r\nrankings.\r\nAttack didn't affect Shell's network\r\nShell disclosed the attack in a public statement published on the company's website last week and said that the incident only\r\naffected the Accellion FTA appliance used to transfer large data files securely.\r\n\"Upon learning of the incident, Shell addressed the vulnerabilities with its service provider and cyber security team, and\r\nstarted an investigation to better understand the nature and extent of the incident,\" Shell said.\r\n\"There is no evidence of any impact to Shell's core IT systems as the file transfer service is isolated from the rest of Shell's\r\ndigital infrastructure.\"\r\nShell also reached out to relevant data authorities and regulators after discovering that the attackers gained access to files\r\ntransferred using the compromised Accellion FTA appliance.\r\nAccording to the company, some of the data accessed during the attack belongs to stakeholders and Shell subsidiaries.\r\n\"Some contained personal data and others included data from Shell companies and some of their stakeholders,\" the\r\nstatement reads.\r\n\"Shell is in contact with the impacted individuals and stakeholders and we are working with them to address possible risks.\"\r\nCyber security and personal data privacy are important for Shell and we work continuously to improve our\r\ninformation risk management practices. We will continue to monitor our IT systems and improve our security. We\r\nregret the concern and inconvenience this may cause affected parties. — Shell\r\nClop ransomware gang and FIN11 behind series of Accellion hacks\r\nWhile the attackers' identity was not disclosed in Shell's statement, a joint statement published by Accellion and\r\nMandiant last month shed more light on the attacks, linking them to the FIN11 cybercrime group.\r\nThe Clop ransomware gang has also been using an Accellion FTA zero-day vulnerability (disclosed in mid-December 2020)\r\nto compromise and steal data from multiple companies.\r\nAccellion said that 300 customers used the 20-year-old legacy FTA software, with less than 100 of them being breached by\r\nthe Clop ransomware gang and FIN11 (the cybercrime groups behind these attacks).\r\nLess than 25 victims appear \"to have suffered significant data theft,\" according to Accellion.\r\nBleepingComputer has reported breaches affecting multiple organizations following attacks targeting Accellion FTA,\r\nincluding cybersecurity firm Qualys, the supermarket giant Kroger, the Reserve Bank of New Zealand, the Australian\r\nSecurities and Investments Commission (ASIC), Singtel, QIMR Berghofer Medical Research Institute, and the Office of the\r\nWashington State Auditor (\"SAO\").\r\nFive Eyes members have also issued a joint security advisory last month about ongoing attacks and extortion attempts\r\ntargeting orgs using unpatched Accellion File Transfer Appliance (FTA) versions.\r\nBleepingComputer has reached out to Shell for comment but has not heard back.\r\nhttps://www.bleepingcomputer.com/news/security/energy-giant-shell-discloses-data-breach-after-accellion-hack/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/energy-giant-shell-discloses-data-breach-after-accellion-hack/\r\nhttps://www.bleepingcomputer.com/news/security/energy-giant-shell-discloses-data-breach-after-accellion-hack/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/energy-giant-shell-discloses-data-breach-after-accellion-hack/"
	],
	"report_names": [
		"energy-giant-shell-discloses-data-breach-after-accellion-hack"
	],
	"threat_actors": [
		{
			"id": "6728f306-6259-4e7d-a4ea-59586d90a47d",
			"created_at": "2023-01-06T13:46:39.175292Z",
			"updated_at": "2026-04-10T02:00:03.236282Z",
			"deleted_at": null,
			"main_name": "FIN11",
			"aliases": [
				"TEMP.Warlock",
				"UNC902"
			],
			"source_name": "MISPGALAXY:FIN11",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59",
			"created_at": "2024-06-19T02:03:08.128175Z",
			"updated_at": "2026-04-10T02:00:03.636663Z",
			"deleted_at": null,
			"main_name": "GOLD TAHOE",
			"aliases": [
				"Cl0P Group Identity",
				"FIN11 ",
				"GRACEFUL SPIDER ",
				"SectorJ04 ",
				"Spandex Tempest ",
				"TA505 "
			],
			"source_name": "Secureworks:GOLD TAHOE",
			"tools": [
				"Clop",
				"Cobalt Strike",
				"FlawedAmmy",
				"Get2",
				"GraceWire",
				"Malichus",
				"SDBbot",
				"ServHelper",
				"TrueBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "1db21349-11d6-4e57-805c-fb1e23a8acab",
			"created_at": "2022-10-25T16:07:23.630365Z",
			"updated_at": "2026-04-10T02:00:04.694622Z",
			"deleted_at": null,
			"main_name": "FIN11",
			"aliases": [
				"Chubby Scorpius",
				"DEV-0950",
				"Lace Tempest",
				"Operation Cyclone"
			],
			"source_name": "ETDA:FIN11",
			"tools": [
				"AZORult",
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"BLUESTEAL",
				"Cl0p",
				"EMASTEAL",
				"FLOWERPIPE",
				"FORKBEARD",
				"FRIENDSPEAK",
				"FlawedAmmyy",
				"GazGolder",
				"Get2",
				"GetandGo",
				"JESTBOT",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MINEDOOR",
				"MIXLABEL",
				"Meterpreter",
				"NAILGUN",
				"POPFLASH",
				"PuffStealer",
				"Rultazo",
				"SALTLICK",
				"SCRAPMINT",
				"SHORTBENCH",
				"SLOWROLL",
				"SPOONBEARD",
				"TiniMet",
				"TinyMet",
				"VIDAR",
				"Vidar Stealer"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434484,
	"ts_updated_at": 1775791821,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8023b7323340f4d727a37358c2fa64e6620c19f3.pdf",
		"text": "https://archive.orkl.eu/8023b7323340f4d727a37358c2fa64e6620c19f3.txt",
		"img": "https://archive.orkl.eu/8023b7323340f4d727a37358c2fa64e6620c19f3.jpg"
	}
}