Energy giant Shell impacted in Accellion hack

Shell is just the latest in a long line of victims.
(Adam Berry/Getty Images)

Oil and gas company Shell is the latest organization to get caught up in the hack that targeted IT provider Accellion’s file-sharing platform, the energy company says.

The suspected criminal hackers behind the breach, who have gone after victims around the world using vulnerabilities in Accellion’s file transfer application (FTA), have accessed some personal data as well as data belonging to Shell stakeholders and subsidiaries, the company said on March 16. Shell had used the FTA to securely transfer large files.

The incident appears to have only impacted the Accellion file transfer service. Shell claims there is “no evidence” so far that the incident has affected Shell’s IT system itself.

Shell is working with authorities and regulators to investigate the incident, the firm said.


The list of companies that use Accellion’s FTA that have fallen victim to the Accellion hack continues growing by the day. A Michigan-based savings bank and the grocery chain Kroger have previously announced that they have been impacted as a result of Accellion’s breach. Jones Day, a prominent law firm, has also been hit, according to The Wall Street Journal. Other victims include the Reserve Bank of New Zealand, the state of Washington, Harvard Business School and cybersecurity company Qualys.

Palo Alto-based Accellion has been hit with a class action lawsuit in recent weeks that claims it failed to ensure “adequate security protocols” for the FTA.

The hackers involved in the Accellion hack have, in some cases, threatened to publish data stolen from victims.

Security researchers are tracking multiple overlapping hacking groups that appear to be involved the operation. A group known as UNC2546 appears to be the group behind the initial exploitation of the Accellion FTA zero-day vulnerabilities, according to FireEye researchers, who have also said that a group called UNC2582 appears to be using stolen data to extort victims.

UNC2582 has claimed in extortion emails to victims that it is linked with the threat actors behind Clop ransomware, according to FireEye.


UNC2582 has a track record of following through on threats to publish stolen data, according to FireEye.

FireEye has observed overlaps between these hacking groups and another attack team known as FIN11.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts