According to a top US cybersecurity agency, multiple federal government agencies in the United States have been targeted in a global cyberattack conducted by Russian cybercriminals. The attack exploits a vulnerability in widely used software called MOVEit. The US Cybersecurity and Infrastructure Security Agency (CISA) is providing assistance to the affected federal agencies and working urgently to understand the extent of the impact and facilitate timely remediation.
The cyberattack has also potentially affected several hundred companies and organizations in the US, according to estimates from private experts cited by a senior CISA official. The ransomware gang allegedly responsible for the attack is known as Clop, which typically demands multimillion-dollar ransoms. However, no ransom demands have been made to federal agencies so far.
The software manufacturer, Progress Software, has discovered a second vulnerability in the code and is actively working on a fix. The Department of Energy has confirmed being one of the breached federal agencies. Although the hacks have not caused significant impacts on federal civilian agencies, CISA Director Jen Easterly mentioned that the hackers have been opportunistic in exploiting the software flaw to gain unauthorized access to networks.
These cyberattacks are part of a broader hacking campaign that started two weeks ago and has targeted major US universities, state governments, and other entities. The increasing number of victims puts pressure on federal officials to address the issue of ransomware attacks, which have disrupted schools, hospitals, and local governments across the country.
The hackers have been exploiting a vulnerability in the MOVEit software, used by companies and agencies for data transfer, since late last month. Progress Software has communicated with its customers about securing their environments and has taken its MOVEit Cloud service offline to patch the issue.
Some federal agencies, such as the Transportation Security Administration and the State Department, have denied being victims of the cyberattack. The Department of Energy took immediate steps to mitigate the impact after discovering that records from two entities within the department had been compromised.
Other victims of the cyberattack include Oak Ridge Associated Universities, a research center, and a contractor associated with the Department of Energy’s Waste Isolation Pilot Plant in New Mexico. Johns Hopkins University and Georgia’s state-wide university system are also investigating the scope and severity of the hack.
The ransomware group Clop has claimed credit for some of the attacks, which have also affected employees of organizations such as the BBC, British Airways, Shell, and state governments in Minnesota and Illinois. While the Russian hackers were the first to exploit the MOVEit vulnerability, it is possible that other groups now have access to the software code required for similar attacks.
The Clop ransomware group initially set a deadline for victims to contact them regarding ransom payment but later began listing alleged victims on their dark web extortion site. As of now, no US federal agencies are listed on the site, and the hackers have claimed that they have erased the data of government, city, and police services and have no intention of exposing it.
Clop is part of a larger trend of ransomware groups primarily operating in Eastern Europe and Russia, focused on extorting money from their victims. Adding company names to their leak site is a tactic used to intimidate victims into paying the ransom.