UCLA, Siemens Energy latest MOVEit victims to confirm breaches

Several new victims of a widespread attack that exploited a popular file transfer tool have come forward in recent days to confirm breaches, joining more than 100 organizations around the world affected by the hacking campaign.

The University of California, Los Angeles (UCLA) told Recorded Future News that it uses the MOVEit Transfer tool at the center of the attacks, and said its IT security team discovered on June 1 that it was targeted. U.S. government officials have said the Clop ransomware gang, which has ties to Russia, is behind the attacks.

“UCLA immediately activated its incident response procedures, fixed the vulnerability using the security patch issued by Progress Software, and enhanced monitoring of the system,” a spokesperson said.

“The university notified the FBI and worked with external cybersecurity experts to investigate the matter and determine what happened, what data was impacted and to whom the data belongs. All of those who have been impacted have been notified. This is not a ransomware incident. There is no evidence of any impact to any other campus systems.”

UCLA was added to Clop’s list of victims on Monday evening alongside several high-profile organizations like Siemens Energy and AbbVie, one of the world’s largest biomedical companies.

A spokesperson for Siemens Energy confirmed that the company was among those targeted but said their current analysis of the incident found that “no critical data has been compromised.”

“Our operations have not been affected. We took immediate action when we learned about the incident,” the spokesperson said.

AbbVie was unable to send an official statement by the time of publication, but a person familiar with the matter confirmed that the company was affected by the MOVEit vulnerability.

The company is still investigating what data was accessed but said it was used in a “limited deployment” across their network and that law enforcement has been contacted about the incident.

Schneider Electric, one of the world’s largest digital automation companies, confirmed it uses the software and said it is investigating what data may have been accessed.

“On May 30th, 2023, Schneider Electric became aware of vulnerabilities impacting Progress MOVEit Transfer software. We promptly deployed available mitigations to secure data and infrastructure and have continued to monitor the situation closely,” a spokesperson said.

“Subsequently, on June 26th, 2023, Schneider Electric was made aware of a claim mentioning that we have been the victim of a cyber-attack relative to MOVEit vulnerabilities. Our cybersecurity team is currently investigating this claim as well."

Allegiant Air and NYC Public School breaches

While not named by the Clop ransomware group, low-cost airline Allegiant Air and New York City’s public school system announced in recent days that they were impacted by the MOVEit fiasco.

Allegiant Air filed a data breach notification with regulators in Maine confirming that 1,405 people had information accessed through the exploitation of the MOVEit tool.

In letters to victims, the company said it uses MOVEit to share and transfer files between Allegiant and vendors, government agencies, and individuals.

By June 12, the company determined that the hackers downloaded names, addresses, dates of birth and Social Security numbers of people connected to the firm. The company did not respond to requests for comment about whether those affected were employees or customers, but the letters say law enforcement agencies were notified of the incident.

On Saturday, New York City Department of Education Chief Operating Officer Emma Vadehra sent a letter to parents and students confirming that they used MOVEit to transfer documents and data internally as well as to and from vendors, including third-party special education service providers.

“We also conducted an internal investigation, which revealed that certain DOE files were affected. Review of the impacted files is ongoing, but preliminary results indicate that approximately 45,000 students, in addition to DOE staff and related service providers, were affected. Roughly 19,000 documents were accessed without authorization,” Vadehra said, adding that about 9,000 Social Security numbers were impacted.

Vadehra said that victims will be contacted when their investigation confirms exactly who had confidential information leaked.

She noted that the FBI is investigating the “broader breach that has impacted hundreds of entities” and that the New York City Department of Education is working with “both the NYPD and FBI as they investigate.”

Several other organizations have come forward in recent days to confirm that data in their systems was accessed by hackers exploiting MOVEit. The largest public pension fund in the U.S. – California’s Public Employees' Retirement System (CalPERS) – said last week that hundreds of thousands of people had sensitive information stolen.

US financial services company, Jackson Financial (@JacksonNational), has been impacted by the #MOVEit zero-day vulnerability. The company also disclosed a #databreach that occurred through a 3rd service provider, which was also affected by the #MOVEit hack... pic.twitter.com/0b1LS4qyba

— BetterCyber (@_bettercyber_) June 27, 2023

At least three federal U.S. agencies — the departments of Energy and Agriculture as well as the Office of Personnel Management — were affected by the issue. CISA Director Jen Easterly said “several” federal agencies were impacted but would not say how many.

In addition to the federal agencies, organizations affected include:

• U.S. state-level agencies in Illinois, Missouri, Minnesota, Colorado, Oregon and Louisiana
• Oil giant Shell
• Canadian government bodies in Nova Scotia
• Schools like Johns Hopkins University, the University of Georgia, the University of Rochester and the University of Missouri
• Organizations in the U.K., like communications regulator Ofcom, the BBC, British Airways, Irish carrier Aer Lingus and pharmacy chain Boots
• Cybersecurity giant Gen
• The Metro Vancouver Transit Police
• “Big Four” accounting firms PricewaterhouseCoopers and EY

Progress Software, the company behind MOVEit, earlier this month announced two new vulnerabilities in the file transfer product requiring urgent remediation. The company is now also facing a federal class action lawsuit over its handling of the fiasco, according to Bloomberg News.