Three Lessons the Accellion FTA Hack of Shell Reminded Us

Three lessons the Accellion FTA hack of Shell reminded us

At the beginning of March, we informed about four actively exploited zero-day vulnerabilities in the Accellion file transfer appliance (FTA). Recently, an acknowledged name in oil and gas, Shell, discovered what extent of damage such an attack can pose to businesses.

Attackers successfully accessed Shell’s files including not only the sensitive data of its personnel. The company also found itself in an unpleasant situation by briefing its business affiliates about a breach of their data. However, thanks to being isolated, the core internal IT systems remained untouched.


LIFARS provides tactical and strategic advice used by clients to increase their organizational security maturity level. This counsel is provided after evaluating a client’s security architecture, enterprise security, network security and many more.


The Shell breach had to do with a series of attacks through Accellion FTA. As discovered, the two-decades-old legacy product contained three critical and one highly severe zero days. This way hackers compromised systems using the SQL injection and self-written DEWMODE web shell to download data.

Researches have attributed the Accellion campaign to a financially motivated FIN11 group. Reportedly, cybercriminals have already disclosed Shell’s data on the Clop ransomware leak site. These appear to include visa and travel documents or company evaluation reports.

Besides a petroleum giant with annual revenues of $180 billion, attackers captured quite a number of entities. The US law firm Jones Day, aero manufacturer Bombardier, cybersecurity firm Qualys, the Reserve Bank of New Zealand, a telcom Singtel, the Harvard Business School – they all extended the list of victims.

Summarized and underlined, there are three key lessons learned from the Accellion incident:

  1. Cyberattacks target anyone. Individuals, groups, organizations, or governments – all of them use potentially vulnerable software and hardware. It is just a matter of time and resources the villain is willing to invest to be successful.
  2. Isolated means defended. Splitting your system into segments and isolating them creates a barrier from being fully compromised with one blow. Along the way, do not forget to observe the principle of least privilege.
  3. Outdated services are a no-go. Regular security updates are essential but switching to another solution when the time comes is requisite. Well-established processes may be convenient, but they are often built on ancient security architectures.



Shell: Third-party cyber security incident impacts Shell

ZDNet: Oil giant Shell discloses data breach linked to Accellion FTA vulnerability