The Department of Energy and several other federal agencies were compromised by a Russian cyber-extortion ring in the global hack of a file-transfer program popular with corporations and governments, Homeland Security officials said Thursday, but the impact is not expected to be great. Was.
But for others ranging from industry to higher education to hundreds of potential victims — including custodians of at least two state motor vehicle agencies — the hack had begun to show some serious effects.
Jane Easterly, director of the Cyber Security and Infrastructure Security Agency, told reporters that unlike the careful, stealthy SolarWinds hacking campaign attributed to state-backed Russian intelligence agents, which was months in the making, the campaign was small, relatively superficial And was quickly caught.
“Based on discussions with industry partners … these intrusions are not being leveraged to gain broad access, gain persistence in targeted systems, or steal specific high-value information – in short, as We understand it, this attack is largely an opportunistic one,” Easterly said.
“While we are very concerned about this campaign and are working diligently on it, it is not a campaign like SolarWinds that presents a systemic risk to our national security or our nation’s networks,” she said.
A senior CISA official said that neither the US military nor the intelligence community was affected. Energy Department spokesman Chad Smith said an agreement had been reached with the two agency entities but did not provide further details.
Known victims include Louisiana’s Office of Motor Vehicles, Oregon’s Department of Transportation, the Nova Scotia provincial government, British Airways, the British Broadcasting Company and UK drugstore chain Boots. The exploit program, MOVEit, is widely used by businesses to securely share files. Security experts say this could include sensitive financial and insurance data.
Louisiana officials said Thursday that the personal information of people with driver’s licenses or vehicle registrations in the state is likely to be exposed. Which included their name, address, social security number and date of birth. He encouraged Louisiana residents to freeze their credit to protect against identity theft.
The Oregon Department of Transportation confirmed Thursday that attackers accessed personal information, some sensitive, for about 3.5 million people who were issued state identification cards or driver’s licenses.
The Cl0p ransomware syndicate behind the hack announced on its dark web site last week that its victims, which it suggested numbered in the hundreds, had the option of asking for ransom or dumping sensitive stolen data online. Had contact till Wednesday to take the risk.
The gang, one of the world’s most prolific cybercrime syndicates, also claimed it would wipe out any data stolen from governments, cities and police departments.
The senior CISA official told reporters that a “small number” of federal agencies had been attacked – refusing to name them – and said “this is not a widespread operation affecting a large number of federal agencies.” The official, who spoke on condition of anonymity to discuss the breach, said that no federal agencies have received extortion demands and that no data from any affected federal agency has been leaked online by Cl0p.
“US officials have no evidence to suggest coordination between Cl0p and the Russian government,” the official said.
The parent company of Progress Software, the American maker of MOVIEit, alerted customers to the breach on May 31 and issued a patch. But cyber security researchers say scores if not hundreds of companies could be quietly exfiltrating sensitive data.
“At this point, we are looking at industry estimates of several hundred victims across the country,” said the senior CISA official. Federal officials encourage victims to come forward, but they often don’t. And the disclosure of the hack varies by state. Publicly traded corporations, health care providers and some critical infrastructure providers have regulatory obligations.
Cyber security firm SecurityScorecard says it detected 2,500 vulnerable MOVEit servers across 790 organizations, including 200 government agencies. It said it was not able to break down those agencies by country.
According to federal contracting data, the Office of the Comptroller of the Currency at the Treasury Department uses MOVEit. Spokeswoman Stephanie Collins said the agency is aware of the hack and is monitoring the situation closely. It said it was “conducting a detailed forensic analysis of system activity and has found no indication of a breach of sensitive information.” She would not specify how the agency uses the file-transfer program.
SecurityScorecard threat analyst Jared Smith said hackers were actively scanning for targets, penetrating them and stealing data until at least March 29.
This is the first time Cl0p has breached a file-transfer program to gain access to data he could use to extort companies. Other examples include the GoAnywhere server in early 2023 and the Excellion file transfer application devices in 2020 and 2021.
The Associated Press emailed Cl0p on Thursday to ask which government agencies he hacked. It didn’t get a response, but the gang posted a new message on its dark web leak site: “We received a lot of emails about government data, we don’t have it, we have completely removed this information, We are only interested in it.” Business.”
Cyber security experts say that Cl0p criminals should not be trusted to deliver their word. Alan Liska of Recorded Future firm has said he is aware of at least three cases in which data stolen by ransomware miscreants appeared on the dark web six to 10 months after victims paid the ransom.
,
AP reporters Sarah Kline in Baton Rouge, Louisiana, Eugene Johnson in Seattle and Noman Merchant and Rebecca Santana in Washington contributed to this report.
