Russian cyber-extortion gang's recent global hack targeted a popular file-transfer program, compromising multiple federal agencies including the Department of Energy. Homeland Security officials downplayed the expected impact on these agencies, stating that the attack was relatively superficial and quickly detected. However, the repercussions are starting to emerge for other victims, spanning industries and higher education.
The director of the Cybersecurity and Infrastructure Security Agency, Jen Easterly, revealed that industry discussions indicate these intrusions are primarily opportunistic, lacking a broader objective to gain extensive access or steal valuable information. While not as elaborate as the SolarWinds hacking campaign, this attack demonstrates the need for continued vigilance in cybersecurity.
The recent global hack by a Russian cyber-extortion gang targeted various entities, including federal agencies and state departments. While the impact on national security and networks is not considered systemic, concerns remain. The U.S. military and intelligence community were unaffected by the attack.
The Energy Department confirmed that two of its entities were compromised, and the Oregon Department of Transportation disclosed that personal information of around 3.5 million individuals had been accessed. The Cl0p ransomware syndicate, responsible for the hack, threatened to release stolen data unless a ransom was paid by the victims.
The cybercrime syndicate responsible for the recent global hack, known for its prolific activities, claimed that it would delete any data stolen from governments, cities, and police departments. A senior official from the Cybersecurity and Infrastructure Security Agency (CISA) stated that only a "small number" of federal agencies were targeted, but declined to disclose their names.
The official emphasized that this was not a widespread campaign affecting numerous federal agencies. No federal agencies received extortion demands, and no data from affected agencies had been leaked online by the cybercrime syndicate, according to the official. U.S. officials currently have no evidence to suggest coordination between the syndicate and the Russian government.
The parent company of MOVIEit, Progress Software, notified customers about the breach and issued a patch on May 31. However, cybersecurity researchers believe that sensitive data may have been quietly exfiltrated from numerous companies before the patch was implemented. The senior official from CISA stated that industry estimates suggest several hundred victims across the country.
While federal officials encouraged victims to come forward, the lack of a federal data breach law and varying state disclosure requirements often hinder reporting. SecurityScorecard, a cybersecurity firm, detected 2,500 vulnerable MOVEit servers across 790 organizations, including 200 government agencies, but could not specify the countries involved. The Office of the Comptroller of the Currency in the Treasury Department is known to use MOVEit, but they stated no breach of sensitive information had been found.
Cl0p, the hacking group responsible, has a history of targeting file-transfer programs to extort companies, including GoAnywhere and Accellion File Transfer Application devices in previous incidents. Despite their claim of deleting government data, cybersecurity experts caution against trusting the criminals' word, as previous cases have shown that data resurfaced on the dark web months after ransom payments were made.