A global cyberattack has struck several U.S. federal government agencies, allegedly orchestrated by Russian cybercriminals. The attack, which exploited a security vulnerability in widely-used software, has raised significant concerns among U.S. cybersecurity officials.
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), several federal agencies have been affected by intrusions involving their MOVEit applications. Eric Goldstein, CISA’s executive assistant director for cybersecurity, confirmed in a statement that the agency is providing support to those impacted, working swiftly to assess the situation and mitigate further risks.
Beyond federal agencies, the cyberattack may have compromised numerous companies and organizations across the United States. A senior official from CISA, speaking to reporters, estimated that “several hundred” entities could potentially be affected, based on information from private cybersecurity experts.
The CLOP ransomware group, suspected to be behind the attack, is notorious for demanding large sums of money from its victims. However, no ransom demands have been made to any federal agencies, according to the senior CISA official.
Progress Software, the U.S. company responsible for the MOVEit software, disclosed that a second vulnerability had been discovered in the code and that efforts were underway to address the issue. Meanwhile, the Department of Energy (DOE) confirmed that it was among the federal agencies breached in the global hacking campaign.
While the attack has disrupted some federal systems, it appears that the overall impact on civilian federal agencies has been minimal. CISA Director Jen Easterly stated that the hackers primarily exploited the software flaw in an opportunistic manner, targeting vulnerable networks.
This incident adds to a growing list of victims of the extensive cyberattack that began approximately two weeks ago. Major U.S. universities and state governments have also fallen prey to the hacking spree, putting pressure on federal authorities to respond effectively to these increasing ransomware attacks.
The cybercriminals began exploiting a vulnerability in MOVEit, a popular software used for data transfers, late last month. Progress Software confirmed on Thursday that an additional security flaw had been identified and was being patched. The company has taken MOVEit Cloud offline while working on the fix.
As the situation unfolds, some agencies have been quick to deny any involvement in the breach. Both the Transportation Security Administration (TSA) and the State Department stated that they were not affected by the cyberattack. Meanwhile, the Department of Energy is cooperating with Congress, law enforcement, and CISA as it investigates the breach and works to minimize any lasting damage.
The DOE revealed that two of its affiliated entities were affected—Oak Ridge Associated Universities, a nonprofit research institution, and a contractor working with the Waste Isolation Pilot Plant in New Mexico.
Universities have also been significantly impacted. Johns Hopkins University and its health system announced that sensitive personal and financial data, including health billing information, may have been compromised in the attack. Georgia’s statewide university system, including the University of Georgia and several other institutions, is also assessing the severity of the breach.
The CLOP ransomware group has publicly taken credit for some of the hacks, which have targeted organizations such as the BBC, British Airways, Shell, and state governments in Minnesota and Illinois. Though CLOP was the first to exploit the MOVEit vulnerability, experts warn that other cybercriminal groups may now have access to the code needed to conduct similar attacks.
Despite the alarming scope of the breach, CLOP has stated on their dark web extortion site that they have erased all data related to government agencies and have no intention of exposing it. They urged governmental organizations not to contact them, stating that their focus remains on profiting from non-governmental victims.
CLOP is just one of several ransomware groups based in Eastern Europe and Russia, known for extorting victims for financial gain. Rafe Pilling, director of threat research at Secureworks, suggested that CLOP’s current tactic of listing victim names on their leak site is intended to pressure those affected into paying ransoms.
As the investigation continues, the cybersecurity community is closely monitoring the situation, stressing the need for swift responses and stronger security measures to prevent future attacks of this magnitude.