According to officials from the Department of Homeland Security, the Department of Energy and several other federal agencies were targeted in a global hack conducted by a Russian cyber-extortion group. However, they reassured that the impact of the attack was not expected to be significant.
While the Department of Energy and other federal agencies may not experience major consequences, there are concerns about the potential serious impacts for other victims, which could include hundreds of organizations ranging from industries to higher education institutions. Two state motor vehicle agencies are known to have been affected.
Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA), stated that this hacking campaign, unlike the prolonged and covert SolarWinds attack, was relatively short and superficial. Easterly emphasized that the attack seemed to be opportunistic rather than a deliberate attempt to gain extensive access or steal highly valuable information.
While the situation is being treated with urgency, Easterly clarified that this campaign does not pose a systemic risk to national security or the nation’s networks, unlike the SolarWinds incident. A senior CISA official confirmed that neither the U.S. military nor the intelligence community were impacted by the attack. However, details about the specific entities within the Department of Energy that were compromised were not provided.
Known victims of the attack include government entities such as Louisiana’s Office of Motor Vehicles, Oregon’s Department of Transportation, the Nova Scotia provincial government, as well as private organizations like British Airways, the British Broadcasting Company (BBC), and the U.K. drugstore chain Boots. The hackers exploited a widely used file-transfer program called MOVEit, which is commonly employed by businesses to securely exchange files, including sensitive financial and insurance data.
Louisiana officials revealed that personal information, including names, addresses, Social Security numbers, and birthdates, of individuals with driver’s licenses or vehicle registrations in the state may have been exposed. They advised Louisiana residents to freeze their credit to protect against potential identity theft. The Oregon Department of Transportation also confirmed that personal information, including some sensitive data, of around 3.5 million people who received identity cards or driver’s licenses from the state was accessed by the attackers.
The cybercriminal group responsible for the attack, known as Cl0p ransomware syndicate, announced on their dark web site that they had targeted hundreds of victims. They provided a deadline for these victims to contact them for ransom negotiations, otherwise threatening to release the stolen data publicly. Cl0p asserted that they would delete any stolen data from governments, cities, and police departments.
A senior CISA official, speaking anonymously, stated that only a “small number” of federal agencies were affected by the attack, clarifying that it was not a widespread campaign impacting a large number of federal agencies. The official mentioned that no federal agencies had received extortion demands, and Cl0p had not leaked any data from an affected federal agency online.
U.S. officials have found no evidence of coordination between Cl0p and the Russian government, and the parent company of MOVEit’s U.S. manufacturer, Progress Software, alerted customers about the breach and issued a patch at the end of May. However, cybersecurity researchers believe that sensitive data could have been quietly exfiltrated from scores, if not hundreds, of companies before the breach was discovered.
The senior CISA official stated that industry estimates suggest there could be several hundred victims across the country. Federal officials encouraged victims to come forward, although they acknowledged that reporting such incidents is not always consistent due to the lack of a federal data breach law and varying disclosure requirements among states. Publicly traded corporations, healthcare providers, and critical infrastructure operators have regulatory obligations to disclose breaches.
SecurityScorecard, a cybersecurity firm, identified 2,500 vulnerable MOVEit servers across 790 organizations, including 200 government agencies. However, they were unable to provide a breakdown of the affected agencies by country.
The Office of the Comptroller of the Currency within the Treasury Department utilizes MOVEit, according to federal contracting data. The agency’s spokeswoman assured that they were aware of the hack and closely monitoring the situation. She stated that no indications of a breach of sensitive information had been found, but did not disclose how the agency uses the file-transfer program.
SecurityScorecard’s threat analyst, Jared Smith, revealed that the hackers had been actively scanning and penetrating targets, as well as stealing data since at least March 29. This is not the first time Cl0p has breached a file-transfer program to gain unauthorized access to data and extort companies. They previously targeted GoAnywhere servers in early 2023 and Accellion File Transfer Application devices in 2020 and 2021.
When the Associated Press reached out to Cl0p via email to inquire about the government agencies they had hacked, they did not receive a response. However, Cl0p posted a message on their dark web leak site, claiming that they had deleted any government data and were only interested in business-related information.
Cybersecurity experts caution that Cl0p cannot be trusted to uphold their word. Recorded Future, a cybersecurity firm, reported at least three cases where data stolen by ransomware groups surfaced on the dark web months after victims had paid ransoms.
{Matzav.com}
