The situation continues to escalate in the widespread exploitation of a critical vulnerability found in a widely used file-transfer program. Within the past few days, at least three additional victims have been identified. These include the New York City Department of Education, as well as energy companies Schneider Electric and Siemens Electric.
The extent of the hacking spree indicates that approximately 122 organizations have been breached so far, with the personal data of approximately 15 million individuals being compromised. Brett Callow, a threat analyst at antivirus company Emsisoft, provided these estimates based on posts made by the criminal group responsible and disclosures from the victims.
Microsoft has linked these attacks to a Russian-speaking ransomware syndicate known as Clop. The exploitation of a zero-day vulnerability in the MOVEit file-transfer service, offered in both cloud and on-premises versions, is the root cause of these hacks.
The initial signs of this exploitation wave appeared on May 27, and four days later, the provider of MOVEit, Progress, released a patch for the vulnerability known as CVE-2023-34362, which originated from a SQL injection flaw. Despite the patch being available, some MOVEit users continued to be hacked because they had not yet installed it on their networks.
Among the first victims to be confirmed were payroll service Zellis and the Canadian province of Nova Scotia. Zellis’ customers, including British Airways, the BBC, Aer Lingus, Ireland’s HSE, and UK retailer Boots, had their data stolen through the breach of the payroll service. Subsequently, other victims emerged, such as two Department of Energy entities, the US states of Missouri and Illinois, the American Board of Education Extreme Networks, and Ofcam.
The attacks have also resulted in the theft of driver’s license data for millions of citizens in Oregon and Louisiana. There are indications that the Department of Agriculture may have been affected as well, according to reports from CNN.
On Tuesday, Siemens Electric was named as another victim by the Clop group, and the company later confirmed the breach. Siemens Electric stated that no critical data had been compromised and that their operations had not been affected. Schneider Electric was also identified as a victim, and the company promptly deployed mitigations to secure their data and infrastructure.
The New York City Department of Education announced on Saturday that it had also fallen victim to the Clop campaign. Preliminary investigations revealed that approximately 45,000 students, along with DOE staff and related service providers, were affected. Unauthorized access occurred to around 19,000 documents, including Social Security Numbers and employee ID numbers, though not necessarily for all affected individuals.
Clop, a prolific Russian-speaking ransomware group, recently exploited another critical vulnerability, CVE-2023-0669, in a different file-transfer service called GoAnywhere. This separate hacking spree affected over 100 organizations, including data security company Rubrik and Community Health Systems, one of the largest hospital chains. Clop managed to obtain health information for 1 million patients through the breach of Community Health Systems.