em360tech image

Several US government agencies have become the latest victims of a global hacking campaign exploiting a vulnerability in the widely used file-transfer software MOVEit. 

The Department of Energy and other federal agencies were among the agencies compromised in the attack, with hackers gaining access to sensitive data from potentially hundreds of US companies. 

In a statement, the US Cybersecurity and Infrastructure Security Agency (CISA) said it was "providing support to several federal agencies that have experienced intrusions.”

It declined to name the names of the government agencies affected but told reporters that “a small number” of agencies were hit and that the breach “is not a widespread campaign affecting a large number of federal agencies.” 

It is currently unclear who is behind the attack, but officials are investigating if the attack could be connected to the series of other cyber attacks on British Airways, BBC and Ofcom by the prolific Russian ransomware gang Cl0p.

The large-scale hacking campaign reportedly began around two weeks ago, with the group exploiting a vulnerability in MOVEit transfer software to access bank details and sensitive data from employees of hundreds of companies globally. 

Victims have gradually been revealed throughout the week, with Shell confirming on Thursday that it was also attacked. 

The attacks have also affected multiple state governments and higher learning institutions across the U.S. Johns Hopkins University said on Wednesday that “sensitive personal and financial information” had been stolen in the MOVEit attacks.

Around a dozen US federal agencies have contracts with MOVEit, according to Politico, but as of Friday morning, officials said it does not appear any federal government data has been leaked. 

According to data collected by GovSpend, a number of government agencies have purchased the MOVEit software, including NASA, the Treasury Department, Health and Human Services and arms of the Defense Department.  

It was not clear how many agencies were actively using the software.

“Opportunistic” 

Jen Easterly, director of the CISA, told reporters that unlike the meticulous, stealthy SolarWinds hacking campaign attributed to state-backed Russian intelligence agents, this campaign was short, relatively superficial and caught quickly.

Based on discussions we have had with industry partners, these intrusions are not being leveraged to gain broader access, to gain persistence into targeted systems, or to steal specific high-value information – in sum, as we understand it, this attack is largely an opportunistic one.

Jen Easterly, director of the CISA

“Although we are very concerned about this campaign and working on it with urgency, this is not a campaign like SolarWinds that presents a systemic risk to our national security or our nation’s networks,” she added.

Clop previously claimed responsibility for the earlier wave of breaches on its website on the dark web but is yet to reveal if it is also behind this hack. 

The group stated it had “no interest” in exploiting any data stolen from governmental or police offices and had deleted it, focusing only on stolen business information.

To read more about ransomware, visit our dedicated Business Continuity.

A senior CISA official, speaking on condition of anonymity to discuss the breach, said no federal agencies had received extortion demands and no data from an affected federal agency had been leaked online by Cl0p.

​​US officials “have no evidence to suggest coordination between Cl0p and the Russian government," the official said. But cybersecurity researchers believe hundreds, if not thousands of companies could by then have had sensitive data quietly exfiltrated globally. 

The cybersecurity company SecurityScorecard revealed it detected a total of 2,500 vulnerable MOVEit servers across 790 organisations, including 200 government agencies. It was not able to break down those agencies by country.

An attack on critical national infrastructure

The attack marks one of several attacks targeting government agencies and public sector organisations over the last few years.

Last year, hackers targeted the British National Health Service, rendering services offline for months and forcing doctors and nurses to keep patient records of scraps of paper.

Suid Adeyanju, CEO of the cybersecurity firm RiverSafe, said that public sector organisations must do more to protect themselves against the ever-increasing cyber threat. 

“Once again, hackers are targeting key government departments to damage critical national infrastructure,” Mr Adeyanju said. 

“Whether it’s opportunistic attempts to exploit vulnerabilities in software or more sophisticated plans, cybercriminals will continue to target public sector organisations to steal data and cause widespread disruption.”

"Tackling this problem requires organisations to have the latest cyber defences in place and ensure that employees and all third-party software are bug-free, preventing hackers from gaining access and inflicting substantial damage,” Mr Adeyanju added.