‘Several’ US federal agencies affected by MOVEit breach

Top U.S. cybersecurity officials confirmed Thursday that several federal agencies have been impacted by cyberattacks on the widely used MOVEit file transfer tool.

Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly told reporters that her team and the FBI are working to provide assistance to federal agencies that used MOVEit, which is being exploited by the Russia-based Clop ransomware gang in a widespread breach that appears to have compromised dozens of entities.

“We’ve been working closely with Progress Software [which makes MOVEit], the FBI and our federal partners to understand its prevalence within federal agencies,” she said. Earlier in the day, CNN first reported that several government agencies were compromised in the hacks. Easterly said that CISA is providing support to “several agencies that have experienced intrusions of their MOVEit applications.”

“We are working urgently to understand impact and ensure timely remediation. At this time, we are not tracking significant impact to the civilian .gov enterprise, but are continuing to work with our partners on this,” she said.

Easterly said that as far as the U.S. government is aware, the Clop ransomware group is only stealing information that was “specifically being stored on the file transfer application at the precise time the intrusion occurred.”

The vulnerabilities in MOVEit are not being used to gain broader access to federal systems or steal specific, high-value information, she added, calling the campaign “largely an opportunistic one.” CISA is also not aware of Clop attempting to extort or leak data stolen from the U.S. government.

“Although we are very concerned about this campaign and are working on it with urgency this is not a campaign like SolarWinds that presents a systemic risk to our national security or our nation’s network,” she said, referring to a 2020 hack by Russian actors in which at least nine government agencies were breached.

Officials declined to name the agencies affected by the breach, or to say how many, only saying it was a “small number,” but the Department of Energy did confirm to Recorded Future News that it was impacted by a data breach, following reports earlier in the day by CyberScoop and Federal News Network.

“Upon learning that records from two DOE entities were compromised in the global cyberattack on the file-sharing software MOVEit Transfer, DOE took immediate steps to prevent further exposure to the vulnerability and notified the Cybersecurity and Infrastructure Security Agency,” they said.

“The Department has notified Congress and is working with law enforcement, CISA, and the affected entities to investigate the incident and mitigate impacts from the breach.”

Sources told the Federal News Network that the Energy Department organization Oak Ridge Associated Universities, and the Waste Isolation Pilot Plant in Carlsbad, New Mexico, had data accessed through MOVEit.

The Waste Isolation Pilot Plant is the nation’s only repository for the disposal of transuranic waste generated by atomic energy defense activities.

A State Department spokesperson told Recorded Future News that they “are aware of these reports and have no comment at this time.” In response to an inquiry, the Department of Interior said it was not affected.

Tim Gorman, spokesperson for the Office of the Secretary of Defense, said the agency cannot discuss the status of their networks “as a matter of policy and for reasons of operations security.”

“However, we recognize the serious nature of new and emerging cyber threats and vulnerabilities and frequently adjust our information infrastructure and cyber defenses to ensure we remain resilient and operationally effective in the face of increasingly sophisticated and capable adversaries,” he said.

Several other U.S. departments and agencies did not respond to requests for comment.

A Russia connection?

A senior CISA official told reporters the Clop ransomware gang has been known to them for years due to their previous exploitation of vulnerabilities affecting other popular file transfer services like Accellion and Fortra’s GoAnywhere.

They published an advisory last week about the issue and ordered federal agencies to remediate it by June 23.

The official noted that they are moving to ensure that similar products and applications are “appropriately hardened” in an effort to “reduce the likelihood and prevalence of these kinds of intrusions.”

Even though Clop actors are based in Russia, there is no evidence of coordination between the group and the country’s government, the official explained, adding that they are not in communication with the group and have not seen any other hacking group exploit the vulnerability.

“No federal agencies to this point have received extortion demands and no federal data had been leaked,” the official said.

In a message posted on Clop's leak site, the group claimed to have deleted all government-connected information.

“Our assessment is that the majority of intrusion activity occurred in the days shortly after [Progress’] disclosure, which is why we moved so quickly at CISA to drive national mitigation and provide targeted notifications to vulnerable organizations,” the CISA official said. They added there are likely hundreds of victims across the U.S. affected by the issue, several of which have already come forward.

Oil giant Shell said it was impacted by the issue, and there have been a number of other victims in the United Kingdom, including the BBC, airlines British Airways and Aer Lingus, the pharmaceuticals retailer Boots, and even the country’s communications regulator Ofcom.

U.S. state agencies in Illinois, Missouri and Minnesota said they are investigating potential data breaches related to MOVEit. The government of Nova Scotia and the University of Rochester were the first victimsto be identified in North America.

Several universities have also been attacked. Both the University of Georgia and Johns Hopkins University confirmed to Recorded Future News that they were affected by the breach.

Johns Hopkins said some information from employees, students, and patients was accessed but electronic health records were not.

The University of Georgia said it is “evaluating the scope and severity of this potential data exposure.”

BORN Ontario, the provincial perinatal, newborn and child registry released an advisory letting patients know it was also affected.

On Thursday evening, Progress Software announced that there was a third vulnerability affecting the MOVEit software, following the notice about a second issue last week.