jThe U.S. government has acknowledged that several federal agencies have been targeted in cyberattacks that exploit a security vulnerability found in a popular file transfer tool.
The Cybersecurity and Infrastructure Security Agency (CISA) confirmed the intrusions in a statement provided to TechCrunch. The attacks were attributed to the Clop ransomware gang, believed to be linked to Russia. The group recently began revealing the names of organizations it claims to have hacked by exploiting the vulnerability in the file transfer tool, called MOVEit Transfer, developed by Progress Software.
The exact number of affected agencies was not disclosed by CISA, though CNN was the first to report on the attacks. The agencies impacted were not named, but the Department of Energy confirmed that two of its entities were breached.
The Federal News Network identified Oak Ridge Associated Universities and a Waste Isolation Pilot Plant in New Mexico as the affected entities. These breaches exposed the personally identifiable information of potentially tens of thousands of individuals, including Energy employees and contractors.
“Upon learning that records from two DOE entities were compromised in the global cyberattack on the file-sharing software MOVEit Transfer, DOE took immediate steps to prevent further exposure to the vulnerability and notified the Cybersecurity and Infrastructure Security Agency (CISA),” a DoE spokesperson said. “The Department has notified Congress and is working with law enforcement, CISA, and the affected entities to investigate the incident and mitigate impacts from the breach.”
The Federal Data Procurement System indicates that approximately twelve other U.S. agencies have active contracts with MOVEit, including the Department of the Army, the Department of the Air Force, and the Food and Drug Administration.
CISA Director Jen Easterly stated in a press conference that the agency is working urgently with the affected agencies to understand the impact and implement timely remediation. Although it is still uncertain if data has been stolen, Easterly mentioned that the intrusions do not appear to be focused on stealing specific high-value information or gaining persistence in targeted systems.
“In sum, as we understand it, this attack is largely an opportunistic one,” Easterly said. “In addition, we are not aware of Clop actors threatening to extort or release any data stolen from U.S. government agencies.”
In an update on their dark web leak site, Clop declared that government data had been erased, and no government agencies have been listed as victims so far.
However, Clop added more victims to their list, claiming that they have compromised organizations such as the Boston Globe, East Western Bank based in California, Enzo Biochem located in New York, and Nuance, an AI firm owned by Microsoft. When contacted, Enzo declined to comment, and the other companies mentioned have not responded to inquiries.
Just a day earlier, Clop had released the initial list of impacted organizations, which included U.S.-based financial services firms 1st Source and First National Bankers Bank, as well as the U.K. energy company Shell.
As new victims are being discovered, Progress Software has rushed to address another vulnerability affecting MOVEit Transfer. The company warned customers in an advisory that this vulnerability, identified as CVE-2023-35708, could result in unauthorized access to customer environments.