According to Homeland Security officials on Thursday, a worldwide hack carried out by a Russian cyber-extortion group targeted a file-transfer software widely used by corporations and governments, compromising the Department of Energy and various other federal agencies. However, the officials expressed limited concern regarding the potential impact of the breach.
The hack’s repercussions were becoming evident for some victims across various sectors, potentially numbering in the hundreds, including individuals associated with at least two state motor vehicle agencies.
Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency, informed journalists that unlike the protracted and secretive SolarWinds hacking operation linked to state-sponsored Russian intelligence agents, this campaign was brief, relatively shallow, and swiftly detected.
Easterly stated, “Based on our discussions with industry partners… these breaches are not being exploited to gain wider access, establish persistence in targeted systems, or pilfer specific high-value information. In essence, as we comprehend it, this attack is primarily opportunistic.”
“While we acknowledge the seriousness of this campaign and are actively addressing it, it does not pose a systemic threat to our national security or the integrity of our nation’s networks,” she further emphasized.
A high-ranking official from CISA confirmed that neither the U.S. military nor the intelligence community experienced any impact. Chad Smith, spokesperson for the Energy Department, mentioned that two entities within the department were compromised but refrained from disclosing further specifics.
Several organizations, such as Louisiana’s Office of Motor Vehicles, Oregon’s Department of Transportation, the provincial government of Nova Scotia, British Airways, the British Broadcasting Company (BBC), and the U.K. drugstore chain Boots, have been identified as victims of a cyber attack. The targeted software, MOVEit, is a popular file-sharing program used by numerous businesses for secure data exchange. According to security experts, this compromised program potentially exposed confidential financial and insurance information.
On Thursday, Louisiana authorities announced that individuals holding a driver’s license or vehicle registration within the state have likely had their personal details compromised. This includes sensitive information such as their name, address, Social Security number, and date of birth. Officials strongly advised residents of Louisiana to take precautionary measures, such as freezing their credit, to protect themselves against potential identity theft.
The Oregon Department of Transportation verified on Thursday that the perpetrators managed to acquire personal data, including some sensitive information, for approximately 3.5 million individuals who received identity cards or driver’s licenses from the state.
Last week, the hacking group known as Cl0p ransomware, operating on the dark web, made an announcement stating that their victims, potentially numbering in the hundreds, had until Wednesday to establish contact and initiate ransom negotiations. Failure to comply would result in the group exposing the stolen sensitive data online.
The criminal organization, considered one of the most active cybercrime syndicates globally, also asserted that they would eliminate any data they obtained from governments, cities, and police departments.
The senior official from CISA informed reporters that a “small number” of federal agencies experienced the cyber attack, refraining from disclosing their names. They emphasized that this was not a widespread campaign impacting a significant number of federal agencies. The official, speaking anonymously to address the breach, mentioned that no federal agencies had received ransom demands, and Cl0p had not leaked any data from affected federal entities online.
According to the official, U.S. officials do not possess any evidence indicating a collaboration between Cl0p and the Russian government.
The parent company of the U.S. manufacturer of MOVIEit, Progress Software, informed its customers about the security breach on May 31 and released a fix for the issue. However, cybersecurity experts believe that numerous companies may have already had their sensitive data stolen without detection.
According to a senior official from CISA, industry estimates suggest that there could be several hundred victims of the breach nationwide. While federal authorities have encouraged victims to report such incidents, many choose not to do so. The United States lacks a comprehensive federal law regarding data breaches, resulting in varying disclosure practices across different states. However, publicly traded companies, healthcare providers, and certain critical infrastructure operators do have specific regulatory obligations in this regard.
According to SecurityScorecard, a cybersecurity company, they identified 2,500 vulnerable MOVEit servers across 790 organizations, including 200 government agencies. Unfortunately, they were unable to provide a breakdown of the affected agencies by country.
Based on federal contracting data, the Office of the Comptroller of the Currency in the Treasury Department utilizes MOVEit. Stephanie Collins, a spokeswoman for the agency, acknowledged the security breach and stated that they have been closely monitoring the situation. She mentioned that the agency is actively conducting thorough forensic analysis of system activity and has not discovered any evidence of sensitive information being compromised. However, she declined to disclose the specific ways in which the agency employs the file-transfer program.
SecurityScorecard’s threat analyst, Jared Smith, revealed that the hackers had been engaging in an ongoing process of scanning for potential targets, infiltrating them, and illicitly acquiring data since at least March 29. This is not an isolated incident where Cl0p has exploited file-transfer programs to gain unauthorized access to data for the purpose of extorting companies. Similar occurrences have been observed in the past, such as the targeting of GoAnywhere servers in early 2023 and the compromise of Accellion File Transfer Application devices in both 2020 and 2021.
The Associated Press sent an email to Cl0p on Thursday, inquiring about the government agencies that had been compromised. However, no response was received. Nevertheless, the hacking group made a recent post on its dark web leak site, stating with a separate symbol: “We received numerous emails regarding government data. We want to clarify that we do not possess this information anymore as it has been completely deleted. Our focus is solely on targeting businesses.”
According to cybersecurity experts, the reliability of the Cl0p criminals to uphold their promises is questionable. Allan Liska from Recorded Future has indicated that he knows of at least three instances where data that was stolen by ransomware criminals eventually surfaced on the dark web, ranging from six to 10 months after the victims had paid the ransoms.
