A latest global cyberattack has hit multiple U.S. government agencies who widely use file transfer service, as announced by federal officials on Thursday. They have joined a string of recent hacks on private organizations that have been largely blamed on a Russian speaking criminal group.
The US Cybersecurity and Infrastructure Security Agency “is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications,” Eric Goldstein, the agency’s executive assistant director for cybersecurity, said in a statement, referring to the software impacted. “We are working urgently to understand impacts and ensure timely remediation.”
Thus far, the government hasn’t received any ransom demands or observed any data leaks, and users of MOVEit can now install a patch to eliminate the software vulnerability used by hackers, the CISA official said. The Energy Department said the agency “took immediate steps to prevent further exposure to the vulnerability.”
The federal government has not blamed any particular individual for the breaches though several recent attacks that exploited MOVEit have been claimed by ransomware group CLOP.
The companies impacted by previous attacks on MOVEit in few cases attacks on their payroll company are Shell oil company, the BBC, British Airways, Johns Hopkins University and the state of Minnesota.
CISA’s response comes as Progress Software, the US firm that makes the software exploited by the hackers, said it had discovered a second vulnerability in the code that the company was working to fix.
The hacks have not had any “significant impacts” on federal civilian agencies, CISA Director Jen Easterly told reporters, adding that the hackers have been “largely opportunistic” in using the software flaw to break into networks.
There is a definite pressure on the federal officials due to the hacking spree and they have vowed to put a dent in the scourge of ransomware attacks that have hobbled schools, hospitals and local governments across the US.
“We have communicated with customers on the steps they need to take to further secure their environments and we have also taken MOVEit Cloud offline as we urgently work to patch the issue,” the company said in a statement.
Agencies were much quicker on Thursday to deny they’d been affected by the hacking than to confirm they were. The Transportation Security Administration and the State Department stated that there was no hack.
The Department of Energy “took immediate steps” to mitigate the impact of the hack after learning that records from 2 department “entities” had been compromised, the department spokesperson said.
“The Department has notified Congress and is working with law enforcement, CISA, and the affected entities to investigate the incident and mitigate impacts from the breach,” the spokesperson said in a statement.
Johns Hopkins University in Baltimore and the university’s renowned health system said in a statement this week that “sensitive personal and financial information,” including health billing records may have been stolen in the hack.
Meanwhile, Georgia’s state wide university system confirmed it was investigating the “scope and severity” of the hack.
More groups now have access to the MOVEit software code needed for attacked which was earlier only with Russian hackers.
The hackers had given victims until Wednesday for payment of ransom, after which they began listing more alleged victims from the hack on their extortion site on the dark web. The hackers wrote in all caps, “If you are a government, city or police service do not worry, we erased all your data. You do not need to contact us. We have no interest to expose such information.”
The CLOP ransomware group is one of numerous gangs in Eastern Europe and Russia that are almost exclusively focused on wringing their victims for as much money as possible.
“The activity we’re seeing at the moment, adding company names to their leak site, is a tactic to scare victims, both listed and unlisted, into paying,” as per Rafe Pilling, director of threat research at Dell-owned Secureworks.