A number of U.S. government agencies have been hit by the same Cl0p Russian ransomware group that conducted the MoveIT operation last week, again exploiting the popular large file transfer system to access records and documents.
According to reports, state agencies and businesses have also been undermined by the attack. TechCrunch has reported that Cl0p has listed on its dark web site multiple financial organizations, other businesses and universities as victims of the campaign.
U.S. Department of Energy Among Victims
While it's unclear the total number of U.S. government agencies that have been hit by the campaign, the Department of Energy confirmed it was among those impacted, with two of its entities compromised. The Transportation Security Administration and the State Department said neither agency had been victimized by the operation.
Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA), the nation’s cyber central, said the break-in was mostly “opportunistic,” did not involve “high value information” and was not widespread. As she explained:
“Although we are very concerned about this campaign, this is not a campaign like SolarWinds that poses a systemic risk,” Easterly said, referencing the 2021 Russia-linked supply chain attack that hit 11 U.S. agencies and hundreds of businesses worldwide by leveraging managed service providers to gain network access.
Separately, Eric Goldstein, CISA’s assistant director, told CNN that the agency is “working urgently” to understand its impact and necessary remediations.
Cl0p (aka TA 505) is known for its multi-million-dollar ransom demands, but to this point the cyber gang has yet to lay down its terms, reports said. The operatives have been exploiting a security flaw in MoveIT, which businesses use to transfer files over the internet, since 2021, previous reports have indicated. Progress Software, which develops MoveIT has since patched the vulnerability, once on May 31 and again on June 9.
Progress posted a blog on Tuesday June 13 in which it said it is working with third-party experts to further investigate the code exploit:
“The investigation of the MOVEit Transfer and MOVEit Cloud vulnerability (CVE-2023-34362) we previously reported remains ongoing. In an effort to increase the security of the MOVEit platform and its customers, we are partnering with third-party cybersecurity experts to conduct additional detailed code reviews.”
Progress also said that it had “strongly urged” its MoveIT Transfer customer to immediately apply the latest patch:
“As of June 9, 2023, we have taken immediate action, developing and releasing a new patch to address the June 9 reported issue (CVE-2023-35036) and have deployed that patch to MOVEit Cloud. We have also communicated to MOVEit Transfer customers the steps they must take to apply the patch and harden their MOVEit Transfer environments. We will continue to update our Security Center if and when additional information becomes available.”
Illinois, Minnesota, Nova Scotia Governments Attacked
Cl0p last week initiated a blitz that upended the states of Illinois’ and Minnesota’s computer networks, the British Broadcasting Company (BBC), British Airways and Nova Scotia, Canada’s government, Shell Oil, a retail chain in the U.K. and the Walgreen’s pharmacy, among other entities. The syndicate gave victims of those attacks until June 14 to respond to its ransom demands.
The nature of the attack on U.S. agencies at first glance was thought to be an exfiltration operation to sell stolen data on the open market. But CNN reported that as of Thursday June 15 that Cl0p’s dark web site had not listed any U.S. federal agencies among its targets but had made a general reference to government and local services victims:
“If you are a government, city or police service do not worry, we erased all your data. You do not need to contact us. We have no interest to expose such information.”
U.S. cyber officials estimate that Cl0p is responsible for compromising some 3,000 U.S.-based organizations and 8,000 global organizations.
What Cybersecurity Experts are Saying
Cybersecurity experts have begun to weigh in on the intrusions. Here are a few comments:
Erich Kron, security awareness advocate at KnowBe4, commented:
“If this was one of the Cl0p affiliates, it is a very brazen move as it is likely to draw some serious attention from the federal government. Many cyber gangs, even those backed by nation-state players, try to avoid the focused attention of the U.S. government and its allies. Some significant cybercrime groups have fallen after they have become a focused target of the government, and this sort of attack is likely to put them straight in the crosshairs of the response teams.”
Tom Marsland, Cloud Range vice president of technology, said:
“Many agencies falling victim to attacks today, however, appear to be compromised due to the previously released vulnerabilities that had patches released on May 31 and June 9. This again goes to emphasize the importance of a robust vulnerability management and asset tracking system and highlights the gap in not having enough skilled professionals in the cybersecurity industry. These vulnerabilities had already been identified and patches released but were not remediated. This reiterates the need for a robust vulnerability management program and goes to highlight the importance of the basic fundamentals necessary in cybersecurity."
Arnie Lopez, Skyhigh Security vice president of worldwide systems engineering, said:
“The latest update in the MOVEit exploitation saga – that several U.S. federal government agencies were compromised – makes it clear that this is a far-reaching cyberattack. While the full ramifications of this incident have yet to be disclosed, we already know the truth: once data has been breached, you can’t protect it, and once it has been leaked, you can’t retroactively “threat hunt” for it. This is why data protection is heavily dependent on proactive data discovery, identification and classification.”
UPDATE: On June 12, Oregon Department of Transportation officials confirmed that the MoveIT hackers had hit its network and lifted some sensitive information of 3.5 million holders of Oregon driver's licences. Because the agency said it does not have the ability to identify if any specific individual's data has been breached, individuals are advised to assume their information has been accessed, officials said.
Separately, Louisiana governor John Bel Edwards announced in a statement that the personal details for every holder of a driver’s license in the state had been exposed to the same MoveIT hackers. Officials believe that more than 4.6 million residents have had their names, address, social security numbers, driver's license numbers, birthdate, and other sensitive information hijacked.
The U.S. State Department is offering a $10 million bounty related to information on the Clop ransomware gang, which is attributed to broad exploits of the MOVEit transfer vulnerabilities with victims that include federal agencies, according to Cybersecurity Dive.
MSSP Alert will continue to follow this story and will update it as more news comes to light.